Potential ReflectDebugger Content Execution Via WerFault.EXE
Detects execution of "WerFault.exe" with the "-pr" commandline flag that is used to run files stored in the ReflectDebugger key which could be used to store the path to the malware in order to masquerade the execution flow
Sigma rule (View on GitHub)
1title: Potential ReflectDebugger Content Execution Via WerFault.EXE
2id: fabfb3a7-3ce1-4445-9c7c-3c27f1051cdd
3related:
4 - id: 0cf2e1c6-8d10-4273-8059-738778f981ad
5 type: derived
6status: test
7description: Detects execution of "WerFault.exe" with the "-pr" commandline flag that is used to run files stored in the ReflectDebugger key which could be used to store the path to the malware in order to masquerade the execution flow
8references:
9 - https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html
10 - https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/
11author: X__Junior (Nextron Systems)
12date: 2023-06-30
13tags:
14 - attack.execution
15 - attack.defense-evasion
16 - attack.t1036
17logsource:
18 product: windows
19 category: process_creation
20detection:
21 selection_img:
22 - Image|endswith: '\WerFault.exe'
23 - OriginalFileName: 'WerFault.exe'
24 selection_cli:
25 CommandLine|contains: ' -pr '
26 condition: all of selection_*
27falsepositives:
28 - Unknown
29level: medium
References
-
This is a LOLbinish 2-stage persistence trick. One where we add startup items to point to OS binaries, and – while they will be ignored by many users and security solutions (at least at first glan...
Read More
Related rules
- Interactive Bash Suspicious Children
- AMSI Bypass Pattern Assembly GetType
- APT29 2018 Phishing Campaign CommandLine Indicators
- Add Insecure Download Source To Winget
- Add New Download Source To Winget