Creation of WerFault.exe/Wer.dll in Unusual Folder
Detects the creation of a file named "WerFault.exe" or "wer.dll" in an uncommon folder, which could be a sign of WerFault DLL hijacking.
Sigma rule (View on GitHub)
1title: Creation of WerFault.exe/Wer.dll in Unusual Folder
2id: 28a452f3-786c-4fd8-b8f2-bddbe9d616d1
3status: test
4description: Detects the creation of a file named "WerFault.exe" or "wer.dll" in an uncommon folder, which could be a sign of WerFault DLL hijacking.
5references:
6 - https://www.bleepingcomputer.com/news/security/hackers-are-now-hiding-malware-in-windows-event-logs/
7author: frack113
8date: 2022-05-09
9modified: 2024-11-28
10tags:
11 - attack.persistence
12 - attack.defense-evasion
13 - attack.t1574.001
14logsource:
15 product: windows
16 category: file_event
17detection:
18 selection:
19 TargetFilename|endswith:
20 - '\WerFault.exe'
21 - '\wer.dll'
22 filter_main_known_locations:
23 TargetFilename|startswith:
24 - 'C:\Windows\SoftwareDistribution\'
25 - 'C:\Windows\System32\'
26 - 'C:\Windows\SysWOW64\'
27 - 'C:\Windows\WinSxS\'
28 condition: selection and not 1 of filter_main_*
29falsepositives:
30 - Unknown
31level: medium
References
-
Security researchers have noticed a malicious campaign that used Windows event logs to store malware, a technique that has not been previously documented publicly for attacks in the wild.
Read More
Related rules
- Creation Of Non-Existent System DLL
- DLL Sideloading Of ShellChromeAPI.DLL
- Fax Service DLL Search Order Hijack
- HackTool - Powerup Write Hijack DLL
- Microsoft Office DLL Sideload