Creation of WerFault.exe/Wer.dll in Unusual Folder
Detects the creation of a file named "WerFault.exe" or "wer.dll" in an uncommon folder, which could be a sign of WerFault DLL hijacking.
Sigma rule (View on GitHub)
1title: Creation of WerFault.exe/Wer.dll in Unusual Folder
2id: 28a452f3-786c-4fd8-b8f2-bddbe9d616d1
3status: test
4description: Detects the creation of a file named "WerFault.exe" or "wer.dll" in an uncommon folder, which could be a sign of WerFault DLL hijacking.
5references:
6 - https://www.bleepingcomputer.com/news/security/hackers-are-now-hiding-malware-in-windows-event-logs/
7author: frack113
8date: 2022-05-09
9modified: 2025-12-03
10tags:
11 - attack.privilege-escalation
12 - attack.persistence
13 - attack.execution
14 - attack.stealth
15 - attack.t1574.001
16logsource:
17 product: windows
18 category: file_event
19detection:
20 selection:
21 TargetFilename|endswith:
22 - '\WerFault.exe'
23 - '\wer.dll'
24 filter_main_known_locations:
25 TargetFilename|startswith:
26 - 'C:\Windows\SoftwareDistribution\'
27 - 'C:\Windows\System32\'
28 - 'C:\Windows\SysWOW64\'
29 - 'C:\Windows\WinSxS\'
30 - 'C:\Windows\UUS\arm64\'
31 condition: selection and not 1 of filter_main_*
32falsepositives:
33 - Unknown
34level: medium
References
Related rules
- APT27 - Emissary Panda Activity
- Aruba Network Service Potential DLL Sideloading
- Creation Of Non-Existent System DLL
- DHCP Callout DLL Installation
- DHCP Server Error Failed Loading the CallOut DLL