Creation of an WerFault.exe in Unusual Folder
Detects WerFault copoed to a suspicious folder, which could be a sign of WerFault DLL hijacking
Sigma rule (View on GitHub)
1title: Creation of an WerFault.exe in Unusual Folder
2id: 28a452f3-786c-4fd8-b8f2-bddbe9d616d1
3status: test
4description: Detects WerFault copoed to a suspicious folder, which could be a sign of WerFault DLL hijacking
5references:
6 - https://www.bleepingcomputer.com/news/security/hackers-are-now-hiding-malware-in-windows-event-logs/
7author: frack113
8date: 2022/05/09
9tags:
10 - attack.persistence
11 - attack.defense_evasion
12 - attack.t1574.001
13logsource:
14 product: windows
15 category: file_event
16detection:
17 selection:
18 TargetFilename|endswith:
19 - '\WerFault.exe'
20 - '\wer.dll'
21 filter_whitelist:
22 TargetFilename|contains:
23 - '\System32\'
24 - '\SysWOW64\'
25 - '\WinSxS\'
26 condition: selection and not filter_whitelist
27falsepositives:
28 - Unknown
29level: high
References
-
Security researchers have noticed a malicious campaign that used Windows event logs to store malware, a technique that has not been previously documented publicly for attacks in the wild.
Read More
Related rules
- DLL Sideloading Of ShellChromeAPI.DLL
- Potential DLL Sideloading Via ClassicExplorer32.dll
- Potential DLL Sideloading Via JsSchHlp
- Potential DLL Sideloading Via comctl32.dll
- VMGuestLib DLL Sideload