Werfault ReflectDebugger Persistence

  1[metadata]
  2creation_date = "2023/08/29"
  3integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6min_stack_version = "8.14.0"
  7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Identifies the registration of a Werfault Debugger. Attackers may abuse this mechanism to execute malicious payloads
 13every time the utility is executed with the "-pr" parameter.
 14"""
 15from = "now-9m"
 16index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", "logs-windows.sysmon_operational-*"]
 17language = "eql"
 18license = "Elastic License v2"
 19name = "Werfault ReflectDebugger Persistence"
 20references = ["https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html"]
 21risk_score = 21
 22rule_id = "205b52c4-9c28-4af4-8979-935f3278d61a"
 23severity = "low"
 24tags = [
 25    "Domain: Endpoint",
 26    "OS: Windows",
 27    "Use Case: Threat Detection",
 28    "Tactic: Persistence",
 29    "Data Source: Elastic Endgame",
 30    "Data Source: Elastic Defend",
 31    "Data Source: Microsoft Defender for Endpoint",
 32    "Data Source: SentinelOne",
 33    "Data Source: Sysmon",
 34    "Resources: Investigation Guide",
 35]
 36timestamp_override = "event.ingested"
 37type = "eql"
 38
 39query = '''
 40registry where host.os.type == "windows" and event.type == "change" and
 41  registry.path : (
 42    "HKLM\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Hangs\\ReflectDebugger",
 43    "\\REGISTRY\\MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Hangs\\ReflectDebugger",
 44    "MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Hangs\\ReflectDebugger"
 45  )
 46'''
 47note = """## Triage and analysis
 48
 49> **Disclaimer**:
 50> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 51
 52### Investigating Werfault ReflectDebugger Persistence
 53
 54Werfault, the Windows Error Reporting service, can be manipulated by attackers to maintain persistence. By registering a ReflectDebugger, adversaries can execute malicious code whenever Werfault is triggered with specific parameters. The detection rule monitors registry changes in key paths associated with ReflectDebugger, alerting on unauthorized modifications indicative of potential abuse.
 55
 56### Possible investigation steps
 57
 58- Review the registry change event details to identify the specific path modified, focusing on the paths listed in the query: "HKLM\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Hangs\\ReflectDebugger", "\\REGISTRY\\MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Hangs\\ReflectDebugger", or "MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Hangs\\ReflectDebugger".
 59- Check the timestamp of the registry change event to determine when the modification occurred and correlate it with other suspicious activities or events on the system around the same time.
 60- Investigate the user account or process responsible for the registry change to assess whether it is a legitimate action or potentially malicious. Look for unusual or unauthorized accounts making the change.
 61- Examine the system for any recent executions of Werfault with the "-pr" parameter, as this could indicate attempts to trigger the malicious payload.
 62- Search for any related alerts or logs from data sources such as Elastic Endgame, Elastic Defend, Microsoft Defender for Endpoint, SentinelOne, or Sysmon that might provide additional context or corroborate the suspicious activity.
 63- Assess the system for any signs of compromise or persistence mechanisms, such as unexpected startup items, scheduled tasks, or other registry modifications that could indicate a broader attack.
 64
 65### False positive analysis
 66
 67- Legitimate software installations or updates may modify the ReflectDebugger registry key as part of their error reporting configuration. Users can create exceptions for known software vendors by verifying the digital signature of the executable associated with the change.
 68- System administrators may intentionally configure the ReflectDebugger for debugging purposes. Document and whitelist these changes in the security monitoring system to prevent unnecessary alerts.
 69- Automated system maintenance tools might interact with the ReflectDebugger registry key. Identify and exclude these tools by correlating the registry changes with scheduled maintenance activities.
 70- Security software or endpoint protection solutions may alter the ReflectDebugger settings as part of their protective measures. Confirm these changes with the security vendor and add them to the exclusion list if deemed safe.
 71
 72### Response and remediation
 73
 74- Immediately isolate the affected system from the network to prevent further execution of malicious code via the Werfault ReflectDebugger.
 75- Terminate any suspicious processes associated with Werfault that are running with the "-pr" parameter to halt potential malicious activity.
 76- Remove unauthorized entries from the registry path "HKLM\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Hangs\\ReflectDebugger" to eliminate persistence mechanisms.
 77- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection tools to identify and remove any additional malware or malicious artifacts.
 78- Review and restore any system or application configurations that may have been altered by the attacker to their original state.
 79- Escalate the incident to the security operations team for further analysis and to determine if additional systems are affected.
 80- Implement enhanced monitoring and alerting for registry changes in the specified paths to detect and respond to similar threats in the future."""
 81
 82
 83[[rule.threat]]
 84framework = "MITRE ATT&CK"
 85[[rule.threat.technique]]
 86id = "T1546"
 87name = "Event Triggered Execution"
 88reference = "https://attack.mitre.org/techniques/T1546/"
 89
 90
 91[rule.threat.tactic]
 92id = "TA0003"
 93name = "Persistence"
 94reference = "https://attack.mitre.org/tactics/TA0003/"
 95[[rule.threat]]
 96framework = "MITRE ATT&CK"
 97[[rule.threat.technique]]
 98id = "T1112"
 99name = "Modify Registry"
100reference = "https://attack.mitre.org/techniques/T1112/"
101
102
103[rule.threat.tactic]
104id = "TA0005"
105name = "Defense Evasion"
106reference = "https://attack.mitre.org/tactics/TA0005/"