SNAKE Malware Service Persistence

calendar Apr 1, 2024 · attack.persistence detection.emerging_threats  ·
Share on: linkedin copy

Detects the creation of a service named "WerFaultSvc" which seems to be used by the SNAKE malware as a persistence mechanism as described by CISA in their report

Sigma rule (View on GitHub)

 1title: SNAKE Malware Service Persistence
 2id: b2e60816-96b2-45bd-ba91-b63578c03ef6
 3status: test
 4description: Detects the creation of a service named "WerFaultSvc" which seems to be used by the SNAKE malware as a persistence mechanism as described by CISA in their report
 5references:
 6    - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2023/05/10
 9tags:
10    - attack.persistence
11    - detection.emerging_threats
12logsource:
13    product: windows
14    service: system
15detection:
16    selection:
17        Provider_Name: 'Service Control Manager'
18        EventID: 7045
19        ServiceName|contains: 'WerFaultSvc' # Note: The report contains a "," in the name ("WerFaultSvc,"). Since we can't confirm if its a typo or not we don't use it
20        ImagePath|startswith: 'C:\Windows\WinSxS\'
21        ImagePath|endswith: '\WerFault.exe'
22    condition: selection
23falsepositives:
24    - Unknown
25level: critical

References

  • ÈÌ)-_0±çº~˜! Ø s(,2QPƉhÜÇÏ3¶|ˆ–}Iøç¹&·œÚÛ;†›„'ΕT H®2c•üä…Ò_åjÈhõ£WCcâ3 Lîý2OjÄp(š»AÙÞɳ¨¤ÂïíûË7>g‰²� ß&�Ã�M-pïA[~§Æ¹ÔÌ ÑùEÀ¼ *\?õEÂD„ĵNšæ°úþ,$ØkÜ…›÷ºz¾%}_ü“0['.Ý& )V:x¹´¼ª¶®aX...


    Read More

Related rules

to-top