Werfault ReflectDebugger Persistence

 1[metadata]
 2creation_date = "2023/08/29"
 3integration = ["endpoint"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies the registration of a Werfault Debugger. Attackers may abuse this mechanism to execute malicious payloads
11every time the utility is executed with the "-pr" parameter.
12"""
13from = "now-9m"
14index = ["logs-endpoint.events.registry-*", "endgame-*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Werfault ReflectDebugger Persistence"
18references = ["https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html"]
19risk_score = 21
20rule_id = "205b52c4-9c28-4af4-8979-935f3278d61a"
21severity = "low"
22tags = [
23    "Domain: Endpoint",
24    "OS: Windows",
25    "Use Case: Threat Detection",
26    "Tactic: Persistence",
27    "Data Source: Elastic Endgame",
28    "Data Source: Elastic Defend",
29]
30timestamp_override = "event.ingested"
31type = "eql"
32
33query = '''
34registry where host.os.type == "windows" and event.type == "change" and
35  registry.path : (
36    "HKLM\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Hangs\\ReflectDebugger",
37    "\\REGISTRY\\MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Hangs\\ReflectDebugger"
38  )
39'''
40
41
42[[rule.threat]]
43framework = "MITRE ATT&CK"
44[[rule.threat.technique]]
45id = "T1546"
46name = "Event Triggered Execution"
47reference = "https://attack.mitre.org/techniques/T1546/"
48
49
50[rule.threat.tactic]
51id = "TA0003"
52name = "Persistence"
53reference = "https://attack.mitre.org/tactics/TA0003/"
54[[rule.threat]]
55framework = "MITRE ATT&CK"
56[[rule.threat.technique]]
57id = "T1112"
58name = "Modify Registry"
59reference = "https://attack.mitre.org/techniques/T1112/"
60
61
62[rule.threat.tactic]
63id = "TA0005"
64name = "Defense Evasion"
65reference = "https://attack.mitre.org/tactics/TA0005/"