SNAKE Malware WerFault Persistence File Creation

calendar Apr 1, 2024 · attack.execution detection.emerging_threats  ·
Share on: linkedin copy

Detects the creation of a file named "WerFault.exe" in the WinSxS directory by a non-system process, which can be indicative of potential SNAKE malware activity

Sigma rule (View on GitHub)

 1title: SNAKE Malware WerFault Persistence File Creation
 2id: 64827580-e4c3-4c64-97eb-c72325d45399
 3status: test
 4description: Detects the creation of a file named "WerFault.exe" in the WinSxS directory by a non-system process, which can be indicative of potential SNAKE malware activity
 5references:
 6    - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2023/05/10
 9modified: 2023/05/18
10tags:
11    - attack.execution
12    - detection.emerging_threats
13logsource:
14    category: file_event
15    product: windows
16detection:
17    selection:
18        TargetFilename|startswith: 'C:\Windows\WinSxS\'
19        TargetFilename|endswith: '\WerFault.exe'
20    filter_main_system_location:
21        Image|startswith:
22            - 'C:\Windows\System32\'
23            - 'C:\Windows\SysWOW64\'
24            - 'C:\Windows\WinSxS\'
25    condition: selection and not 1 of filter_main_*
26falsepositives:
27    - Unknown
28level: high

References

  • ÈÌ)-_0±çº~˜! Ø s(,2QPƉhÜÇÏ3¶|ˆ–}Iøç¹&·œÚÛ;†›„'ΕT H®2c•üä…Ò_åjÈhõ£WCcâ3 Lîý2OjÄp(š»AÙÞɳ¨¤ÂïíûË7>g‰²� ß&�Ã�M-pïA[~§Æ¹ÔÌ ÑùEÀ¼ *\?õEÂD„ĵNšæ°úþ,$ØkÜ…›÷ºz¾%}_ü“0['.Ý& )V:x¹´¼ª¶®aX...


    Read More

Related rules

to-top