Skip to content
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
Cannot retrieve contributors at this time
creation_date = "2020/08/24"
integration = ["endpoint", "windows"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/02/22"
author = ["Elastic"]
description = """
A suspicious WerFault child process was detected, which may indicate an attempt to run via the SilentProcessExit
registry key manipulation. Verify process details such as command line, network connections and file writes.
false_positives = ["Custom Windows error reporting debugger or applications restarted by WerFault after a crash."]
from = "now-9m"
index = ["winlogbeat-*", "*", "logs-windows.*", "endgame-*"]
language = "eql"
license = "Elastic License v2"
name = "Suspicious WerFault Child Process"
note = """## Setup
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
references = [
risk_score = 47
rule_id = "ac5012b8-8da8-440b-aaaf-aedafdea2dff"
severity = "medium"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "windows" and event.type == "start" and : "WerFault.exe" and
/* args -s and -t used to execute a process via SilentProcessExit mechanism */
(process.parent.args : "-s" and process.parent.args : "-t" and process.parent.args : "-c") and
not process.executable : ("?:\\Windows\\SysWOW64\\Initcrypt.exe", "?:\\Program Files (x86)\\Heimdal\\Heimdal.Guard.exe")
framework = "MITRE ATT&CK"
id = "T1036"
name = "Masquerading"
reference = ""
id = "TA0005"
name = "Defense Evasion"
reference = ""