Potential ReflectDebugger Content Execution Via WerFault.EXE
Detects execution of "WerFault.exe" with the "-pr" commandline flag that is used to run files stored in the ReflectDebugger key which could be used to store the path to the malware in order to masquerade the execution flow
Sigma rule (View on GitHub)
1title: Potential ReflectDebugger Content Execution Via WerFault.EXE
2id: fabfb3a7-3ce1-4445-9c7c-3c27f1051cdd
3related:
4 - id: 0cf2e1c6-8d10-4273-8059-738778f981ad
5 type: derived
6status: test
7description: Detects execution of "WerFault.exe" with the "-pr" commandline flag that is used to run files stored in the ReflectDebugger key which could be used to store the path to the malware in order to masquerade the execution flow
8references:
9 - https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html
10 - https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/
11author: X__Junior (Nextron Systems)
12date: 2023-06-30
13tags:
14 - attack.execution
15 - attack.stealth
16 - attack.t1036
17logsource:
18 product: windows
19 category: process_creation
20detection:
21 selection_img:
22 - Image|endswith: '\WerFault.exe'
23 - OriginalFileName: 'WerFault.exe'
24 selection_cli:
25 CommandLine|contains: ' -pr '
26 condition: all of selection_*
27falsepositives:
28 - Unknown
29level: medium
References
Related rules
- Interactive Bash Suspicious Children
- APT27 - Emissary Panda Activity
- APT29 2018 Phishing Campaign CommandLine Indicators
- AWS IAM S3Browser LoginProfile Creation
- AWS IAM S3Browser Templated S3 Bucket Policy Creation