
Summary
This detection rule identifies potentially malicious activity associated with the Windows error reporting tool, WerFault.exe, where adversaries may exploit its capabilities to execute unwanted processes. The rule triggers an alert when it detects a child process spawned by WerFault.exe with specific command-line arguments that suggest an attempt to modify execution flow via the SilentProcessExit mechanism. It specifically looks for instances of WerFault.exe invoked with the arguments '-s', '-t', and '-c', while actively excluding known safe executables to minimize false positives. Investigative steps include reviewing command line arguments, monitoring network connections, and correlating with events across various endpoints and security platforms. The rule also outlines possible legitimate scenarios that may trigger false positives and recommends thorough verification and exclusion where applicable. The approach seeks to enhance threat detection efficiency regarding covert process execution attempts that bypass standard security measures.
Categories
- Endpoint
- Windows
Data Sources
- Process
- Windows Registry
- Application Log
- Network Traffic
- File
ATT&CK Techniques
- T1036
- T1546
- T1546.012
Created: 2020-08-24