Creation of WerFault.exe/Wer.dll in Unusual Folder
Detects the creation of a file named "WerFault.exe" or "wer.dll" in an uncommon folder, which could be a sign of WerFault DLL hijacking.
Sigma rule (View on GitHub)
1title: Creation of WerFault.exe/Wer.dll in Unusual Folder
2id: 28a452f3-786c-4fd8-b8f2-bddbe9d616d1
3status: test
4description: Detects the creation of a file named "WerFault.exe" or "wer.dll" in an uncommon folder, which could be a sign of WerFault DLL hijacking.
5references:
6 - https://www.bleepingcomputer.com/news/security/hackers-are-now-hiding-malware-in-windows-event-logs/
7author: frack113
8date: 2022-05-09
9modified: 2025-12-03
10tags:
11 - attack.privilege-escalation
12 - attack.persistence
13 - attack.defense-evasion
14 - attack.t1574.001
15logsource:
16 product: windows
17 category: file_event
18detection:
19 selection:
20 TargetFilename|endswith:
21 - '\WerFault.exe'
22 - '\wer.dll'
23 filter_main_known_locations:
24 TargetFilename|startswith:
25 - 'C:\Windows\SoftwareDistribution\'
26 - 'C:\Windows\System32\'
27 - 'C:\Windows\SysWOW64\'
28 - 'C:\Windows\WinSxS\'
29 - 'C:\Windows\UUS\arm64\'
30 condition: selection and not 1 of filter_main_*
31falsepositives:
32 - Unknown
33level: medium
References
-
Security researchers have noticed a malicious campaign that used Windows event logs to store malware, a technique that has not been previously documented publicly for attacks in the wild.
Read More
Related rules
- Potential System DLL Sideloading From Non System Locations
- Use Of Hidden Paths Or Files
- Creation Of Non-Existent System DLL
- Unsigned .node File Loaded
- Potential PlugX Activity