Creation of an WerFault.exe in Unusual Folder

Aug 12, 2024 · attack.persistence attack.defense-evasion attack.t1574.001 ·

Detects WerFault copoed to a suspicious folder, which could be a sign of WerFault DLL hijacking

Sigma rule (View on GitHub)

 1title: Creation of an WerFault.exe in Unusual Folder
 2id: 28a452f3-786c-4fd8-b8f2-bddbe9d616d1
 3status: test
 4description: Detects WerFault copoed to a suspicious folder, which could be a sign of WerFault DLL hijacking
 5references:
 6    - https://www.bleepingcomputer.com/news/security/hackers-are-now-hiding-malware-in-windows-event-logs/
 7author: frack113
 8date: 2022-05-09
 9tags:
10    - attack.persistence
11    - attack.defense-evasion
12    - attack.t1574.001
13logsource:
14    product: windows
15    category: file_event
16detection:
17    selection:
18        TargetFilename|endswith:
19            - '\WerFault.exe'
20            - '\wer.dll'
21    filter_whitelist:
22        TargetFilename|contains:
23            - '\System32\'
24            - '\SysWOW64\'
25            - '\WinSxS\'
26    condition: selection and not filter_whitelist
27falsepositives:
28    - Unknown
29level: high

References

Hackers are now hiding malware in Windows Event Logs

Security researchers have noticed a malicious campaign that used Windows event logs to store malware, a technique that has not been previously documented publicly for attacks in the wild.

Read More

Creation of an WerFault.exe in Unusual Folder

Sigma rule (View on GitHub)

References

Hackers are now hiding malware in Windows Event Logs

Related rules