Potential WerFault ReflectDebugger Registry Value Abuse

 1title: Potential WerFault ReflectDebugger Registry Value Abuse
 2id: 0cf2e1c6-8d10-4273-8059-738778f981ad
 3related:
 4    - id: fabfb3a7-3ce1-4445-9c7c-3c27f1051cdd
 5      type: derived
 6status: test
 7description: Detects potential WerFault "ReflectDebugger" registry value abuse for persistence.
 8references:
 9    - https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html
10    - https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/
11author: X__Junior
12date: 2023/05/18
13tags:
14    - attack.defense_evasion
15    - attack.t1036.003
16logsource:
17    category: registry_set
18    product: windows
19detection:
20    selection:
21        EventType: 'SetValue'
22        TargetObject|endswith: '\Microsoft\Windows\Windows Error Reporting\Hangs\ReflectDebugger'
23    condition: selection
24falsepositives:
25    - Unknown
26level: high

References

• Malware development: persistence - part 18. Windows Error Reporting. Simple C++ example.

  

  ﷽

  
  Read More

• Beyond good ol’ Run key, Part 85

  

  This is a LOLbinish 2-stage persistence trick. One where we add startup items to point to OS  binaries, and – while they will be ignored by many users and security solutions (at least at first glan...

  
  Read More

Related rules

• File Download Via Bitsadmin To A Suspicious Target Folder
• File With Suspicious Extension Downloaded Via Bitsadmin
• Potential Homoglyph Attack Using Lookalike Characters
• Potential Homoglyph Attack Using Lookalike Characters in Filename
• Processes Executing with Unusual Command Lines