
Summary
This rule is designed to detect potential abuse of the WerFault 'ReflectDebugger' registry value, which is commonly exploited by threat actors to achieve persistence on Windows systems. The ReflectDebugger registry key, located at "\Microsoft\Windows\Windows Error Reporting\Hangs\ReflectDebugger", can be manipulated to redirect debugger functionality for malicious purposes, effectively allowing the attacker to execute arbitrary code or maintain control over the system after a crash or error. This rule monitors for specific registry events indicating that the ReflectDebugger key has been modified. High severity is assigned due to the potential for serious compromise if exploited. Additional references provide insight into past abuses of this registry value and context for understanding its relevance in threat landscapes.
Categories
- Windows
- Endpoint
Data Sources
- Windows Registry
Created: 2023-05-18