Werfault ReflectDebugger Persistence

 1[metadata]
 2creation_date = "2023/08/29"
 3integration = ["endpoint"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2024/04/05"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies the registration of a Werfault Debugger. Attackers may abuse this mechanism to execute malicious payloads
13every time the utility is executed with the "-pr" parameter.
14"""
15from = "now-9m"
16index = ["logs-endpoint.events.registry-*", "endgame-*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Werfault ReflectDebugger Persistence"
20references = ["https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html"]
21risk_score = 21
22rule_id = "205b52c4-9c28-4af4-8979-935f3278d61a"
23severity = "low"
24tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
25timestamp_override = "event.ingested"
26type = "eql"
27
28query = '''
29registry where host.os.type == "windows" and event.type == "change" and
30  registry.path : (
31    "HKLM\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Hangs\\ReflectDebugger",
32    "\\REGISTRY\\MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Hangs\\ReflectDebugger"
33  )
34'''
35
36
37[[rule.threat]]
38framework = "MITRE ATT&CK"
39[[rule.threat.technique]]
40id = "T1546"
41name = "Event Triggered Execution"
42reference = "https://attack.mitre.org/techniques/T1546/"
43
44[rule.threat.tactic]
45id = "TA0003"
46name = "Persistence"
47reference = "https://attack.mitre.org/tactics/TA0003/"
48
49
50[[rule.threat]]
51framework = "MITRE ATT&CK"
52[[rule.threat.technique]]
53id = "T1112"
54name = "Modify Registry"
55reference = "https://attack.mitre.org/techniques/T1112/"
56
57
58[rule.threat.tactic]
59id = "TA0005"
60name = "Defense Evasion"
61reference = "https://attack.mitre.org/tactics/TA0005/"