Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
detection-rules/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [metadata] | |
| creation_date = "2020/08/24" | |
| integration = ["endpoint", "windows"] | |
| maturity = "production" | |
| min_stack_comments = "New fields added: required_fields, related_integrations, setup" | |
| min_stack_version = "8.3.0" | |
| updated_date = "2023/02/22" | |
| [rule] | |
| author = ["Elastic"] | |
| description = """ | |
| A suspicious WerFault child process was detected, which may indicate an attempt to run via the SilentProcessExit | |
| registry key manipulation. Verify process details such as command line, network connections and file writes. | |
| """ | |
| false_positives = ["Custom Windows error reporting debugger or applications restarted by WerFault after a crash."] | |
| from = "now-9m" | |
| index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] | |
| language = "eql" | |
| license = "Elastic License v2" | |
| name = "Suspicious WerFault Child Process" | |
| note = """## Setup | |
| If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. | |
| """ | |
| references = [ | |
| "https://www.hexacorn.com/blog/2019/09/19/silentprocessexit-quick-look-under-the-hood/", | |
| "https://www.hexacorn.com/blog/2019/09/20/werfault-command-line-switches-v0-1/", | |
| "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx", | |
| "https://blog.menasec.net/2021/01/", | |
| ] | |
| risk_score = 47 | |
| rule_id = "ac5012b8-8da8-440b-aaaf-aedafdea2dff" | |
| severity = "medium" | |
| tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"] | |
| timestamp_override = "event.ingested" | |
| type = "eql" | |
| query = ''' | |
| process where host.os.type == "windows" and event.type == "start" and | |
| process.parent.name : "WerFault.exe" and | |
| /* args -s and -t used to execute a process via SilentProcessExit mechanism */ | |
| (process.parent.args : "-s" and process.parent.args : "-t" and process.parent.args : "-c") and | |
| not process.executable : ("?:\\Windows\\SysWOW64\\Initcrypt.exe", "?:\\Program Files (x86)\\Heimdal\\Heimdal.Guard.exe") | |
| ''' | |
| [[rule.threat]] | |
| framework = "MITRE ATT&CK" | |
| [[rule.threat.technique]] | |
| id = "T1036" | |
| name = "Masquerading" | |
| reference = "https://attack.mitre.org/techniques/T1036/" | |
| [rule.threat.tactic] | |
| id = "TA0005" | |
| name = "Defense Evasion" | |
| reference = "https://attack.mitre.org/tactics/TA0005/" | |