Suspicious Werfault.exe Network Connection Outbound
Adversaries can migrate cobalt strike/metasploit/C2 beacons on compromised systems to legitimate werfault.exe process to avoid detection.
Sigma rule (View on GitHub)
1title: Suspicious Werfault.exe Network Connection Outbound
2id: e12c75f2-d09e-43f6-90e4-6a23842907af
3status: experimental
4description: Adversaries can migrate cobalt strike/metasploit/C2 beacons on compromised systems to legitimate werfault.exe process to avoid detection.
5references:
6 - https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/
7author: Sreeman
8date: 2021/03/09
9modified: 2021/06/11
10tags:
11 - attack.command_and_control
12 - attack.t1571
13logsource:
14 product: windows
15 category: network_connection
16detection:
17 selection:
18 Image: 'werfault.exe'
19 filter1:
20 ParentImage: 'svchost.exe'
21 filter2:
22 DestinationIp:
23 - '104.42.151.234'
24 - '104.43.193.48'
25 - '52.255.188.83'
26 - '13.64.90.137'
27 - '168.61.161.212'
28 - '13.88.21.125'
29 - '40.88.32.150'
30 - '52.147.198.201'
31 - '52.239.207.100'
32 - '52.176.224.96'
33 - '2607:7700:0:24:0:1:287e:1894'
34 - '10.*'
35 - '192.168.*'
36 - '127.*'
37 filter3:
38 DestinationHostname|contains:
39 - '*.windowsupdate.com'
40 - '*.microsoft.com'
41 condition: selection and not ( filter1 and filter2 and filter3 )
42falsepositives:
43 - Communication to other corporate systems that use IP addresses from public address spaces and Microsoft IP spaces
44level: medium```
References
-
Intro The malware identified as Anchor first entered the scene in late 2018 and has been linked to the same group as Trickbot, due to similarities in code and usage of the two different malware fam…
Read More
Related rules
- Testing Usage of Uncommonly Used Port
- DNSCat2 Powershell Implementation Detection Via Process Creation
- High DNS Requests Rate
- High DNS Requests Rate - Firewall
- High NULL Records Requests Rate