feat: add more rules

2023-07-20 13:47:30 +02:00
parent 08e0a297f3
commit 73f44e61d1
16 changed files with 520 additions and 30 deletions
@@ -0,0 +1,31 @@
+title: Suspicious File Creation Activity From Fake Recycle.Bin Folder
+id: 1fea93a2-1524-4a3c-9828-3aa0c2414e27
+related:
+    - id: 5ce0f04e-3efc-42af-839d-5b3a543b76c0
+      type: derived
+status: experimental
+description: Detects file write event from/to a fake recycle bin folder that's often used as a staging directory for malware
+references:
+    - https://www.mandiant.com/resources/blog/infected-usb-steal-secrets
+author: X__Junior (Nextron Systems)
+date: 2023/07/12
+tags:
+    - attack.persistence
+    - attack.defense_evasion
+logsource:
+    category: file_event
+    product: windows
+detection:
+    selection:
+        - Image|contains:
+            - ':\RECYCLERS.BIN\'
+            - ':\RECYCLER.BIN\'
+            - ':\RECYCLE.BIN\'
+        - TargetFilename|contains:
+            - ':\RECYCLERS.BIN\'
+            - ':\RECYCLER.BIN\'
+            - ':\RECYCLE.BIN\'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
@@ -0,0 +1,47 @@
+title: Abusable DLL Potential Sideloading From Suspicious Location
+id: 1228c958-e64e-4e71-92ad-7d429f4138ba
+status: experimental
+description: Detects potential DLL sideloading of DLLs that are known to be abused from suspicious locations
+references:
+    - https://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html
+    - https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/
+author: X__Junior (Nextron Systems)
+date: 2023/07/11
+tags:
+    - attack.execution
+    - attack.t1059
+logsource:
+    category: image_load
+    product: windows
+detection:
+    selection_dll:
+        ImageLoaded|endswith:
+            # Note: Add more generic DLLs that cannot be pin-pointed to a single application
+            - '\coreclr.dll'
+            - '\facesdk.dll'
+            - '\HPCustPartUI.dll'
+            - '\libcef.dll'
+            - '\ZIPDLL.dll'
+    selection_folders_1:
+        ImageLoaded|contains:
+            - ':\Perflogs\'
+            - ':\Users\Public\'
+            - '\Temporary Internet'
+            - '\Windows\Temp\'
+    selection_folders_2:
+        - ImageLoaded|contains|all:
+            - ':\Users\'
+            - '\Favorites\'
+        - CommandLine|contains|all:
+            - ':\Users\'
+            - '\Favourites\'
+        - ImageLoaded|contains|all:
+            - ':\Users\'
+            - '\Contacts\'
+        - ImageLoaded|contains|all:
+            - ':\Users\'
+            - '\Pictures\'
+    condition: selection_dll and 1 of selection_folders_*
+falsepositives:
+    - Unknown
+level: high
@@ -0,0 +1,31 @@
+title: Potential CCleanerDU.DLL Sideloading
+id: 4f6edb78-5c21-42ab-a558-fd2a6fc1fd57
+status: experimental
+description: Detects potential DLL sideloading of "CCleanerDU.dll"
+references:
+    - https://lab52.io/blog/2344-2/
+author: X__Junior (Nextron Systems)
+date: 2023/07/13
+tags:
+    - attack.defense_evasion
+    - attack.persistence
+    - attack.privilege_escalation
+    - attack.t1574.001
+    - attack.t1574.002
+logsource:
+    category: image_load
+    product: windows
+detection:
+    selection:
+        ImageLoaded|endswith: '\CCleanerDU.dll'
+    filter_main_path:
+        Image|startswith:
+            - 'C:\Program Files\CCleaner\'
+            - 'C:\Program Files (x86)\CCleaner\'
+        Image|endswith:
+            - '\CCleaner.exe'
+            - '\CCleaner64.exe'
+    condition: selection and not 1 of filter_main_*
+falsepositives:
+    - False positives could occur from other custom installation paths. Apply additional filters accordingly.
+level: medium
@@ -0,0 +1,29 @@
+title: Potential CCleanerReactivator.DLL Sideloading
+id: 4f6edb78-5c21-42ab-a558-fd2a6fc1fd57
+status: experimental
+description: Detects potential DLL sideloading of "CCleanerReactivator.dll"
+references:
+    - https://lab52.io/blog/2344-2/
+author: X__Junior
+date: 2023/07/13
+tags:
+    - attack.defense_evasion
+    - attack.persistence
+    - attack.privilege_escalation
+    - attack.t1574.001
+    - attack.t1574.002
+logsource:
+    category: image_load
+    product: windows
+detection:
+    selection:
+        ImageLoaded|endswith: '\CCleanerReactivator.dll'
+    filter_main_path:
+        Image|startswith:
+            - 'C:\Program Files\CCleaner\'
+            - 'C:\Program Files (x86)\CCleaner\'
+        Image|endswith: '\CCleanerReactivator.exe'
+    condition: selection and not 1 of filter_main_*
+falsepositives:
+    - False positives could occur from other custom installation paths. Apply additional filters accordingly.
+level: medium
@@ -6,9 +6,9 @@ references:
    - https://content.fireeye.com/apt-41/rpt-apt41
    - https://securelist.com/the-tetrade-brazilian-banking-malware/97779/
    - https://blog.bushidotoken.net/2021/04/dead-drop-resolvers-espionage-inspired.html
-author: Sorina Ionescu
+author: Sorina Ionescu, X__Junior (Nextron Systems)
 date: 2022/08/17
-modified: 2023/04/18
+modified: 2023/07/20
 tags:
    - attack.command_and_control
    - attack.t1102
@@ -22,24 +22,48 @@ detection:
        DestinationHostname|endswith:
            - '.cloudflare.com'
            - '.githubusercontent.com'
+            - '4shared.com'
+            - 'anonfiles.com'
            - 'cdn.discordapp.com'
+            - 'ddns.net'
+            - 'discord.com/api/webhooks/'
            - 'docs.google.com'
+            - 'drive.google.com'
+            - 'dropbox.com'
+            - 'dropmefiles.com'
            - 'facebook.com'
            - 'feeds.rapidfeeds.com'
            - 'fotolog.com'
+            - 'ghostbin.co/'
+            - 'gist.githubusercontent.com'
+            - 'hastebin.com'
            - 'imgur.com'
            - 'livejournal.com'
+            - 'mediafire.com'
+            - 'mega.nz'
+            - 'onedrive.com'
            - 'paste.ee'
            - 'pastebin.com'
            - 'pastebin.pl'
            - 'pastetext.net'
+            - 'privatlab.com'
+            - 'privatlab.net'
+            - 'raw.githubusercontent.com'
            - 'reddit.com'
+            - 'send.exploit.in'
+            - 'sendspace.com'
            - 'steamcommunity.com'
+            - 'storage.googleapis.com'
+            - 't.me'
            - 'technet.microsoft.com'
+            - 'temp.sh'
+            - 'transfer.sh'
            - 'twitter.com'
+            - 'ufile.io'
+            - 'vimeo.com'
+            - 'wetransfer.com'
            - 'youtube.com'
-    filter_main_brave:
-        Image|endswith: '\brave.exe'
+    # Note: Add/Remove browsers that you don't use or those that have custom install locations
    filter_main_chrome:
        Image:
            - 'C:\Program Files\Google\Chrome\Application\chrome.exe'
@@ -52,8 +76,6 @@ detection:
        Image:
            - 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
            - 'C:\Program Files\Internet Explorer\iexplore.exe'
-    filter_main_maxthon:
-        Image|endswith: '\maxthon.exe'
    filter_main_edge_1:
        - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
        - Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
@@ -67,16 +89,8 @@ detection:
        Image|endswith:
            - '\msedge.exe'
            - '\msedgewebview2.exe'
-    filter_main_opera:
-        Image|endswith: '\opera.exe'
    filter_main_safari:
        Image|endswith: '\safari.exe'
-    filter_main_seamonkey:
-        Image|endswith: '\seamonkey.exe'
-    filter_main_vivaldi:
-        Image|endswith: '\vivaldi.exe'
-    filter_main_whale:
-        Image|endswith: '\whale.exe'
    filter_optional_defender:
        Image|endswith:
            - '\MsMpEng.exe' #Microsoft Defender executable
@@ -85,6 +99,91 @@ detection:
        Image|endswith: '\PRTG Probe.exe' #Paessler's PRTG Network Monitor
    filter_optional_qlik:
        Image|endswith: '\Engine.exe' #Process from qlik.com app
+    filter_main_brave:
+        Image|endswith: '\brave.exe'
+        Image|startswith: 'C:\Program Files\BraveSoftware\'
+    filter_main_maxthon:
+        Image|contains: '\AppData\Local\Maxthon\'
+        Image|endswith: '\maxthon.exe'
+    filter_main_opera:
+        Image|contains: '\AppData\Local\Programs\Opera\'
+        Image|endswith: '\opera.exe'
+    filter_main_seamonkey:
+        Image|startswith:
+            - 'C:\Program Files\SeaMonkey\'
+            - 'C:\Program Files (x86)\SeaMonkey\'
+        Image|endswith: '\seamonkey.exe'
+    filter_main_vivaldi:
+        Image|contains: '\AppData\Local\Vivaldi\'
+        Image|endswith: '\vivaldi.exe'
+    filter_main_whale:
+        Image|startswith:
+            - 'C:\Program Files\Naver\Naver Whale\'
+            - 'C:\Program Files (x86)\Naver\Naver Whale\'
+        Image|endswith: '\whale.exe'
+    filter_main_tor:
+        Image|contains: '\Tor Browser\'
+    filter_main_whaterfox:
+        Image|startswith:
+            - 'C:\Program Files\Waterfox\'
+            - 'C:\Program Files (x86)\Waterfox\'
+        Image|endswith: '\Waterfox.exe'
+    filter_main_midori:
+        Image|contains: '\AppData\Local\Programs\midori-ng\'
+        Image|endswith: '\Midori Next Generation.exe'
+    filter_main_slimbrowser:
+        Image|startswith:
+            - 'C:\Program Files\SlimBrowser\'
+            - 'C:\Program Files (x86)\SlimBrowser\'
+        Image|endswith: '\slimbrowser.exe'
+    filter_main_flock:
+        Image|contains: '\AppData\Local\Flock\'
+        Image|endswith: '\Flock.exe'
+    filter_main_phoebe:
+        Image|contains: '\AppData\Local\Phoebe\'
+        Image|endswith: '\Phoebe.exe'
+    filter_main_falkon:
+        Image|startswith:
+            - 'C:\Program Files\Falkon\'
+            - 'C:\Program Files (x86)\Falkon\'
+        Image|endswith: '\falkon.exe'
+    filter_main_qtweb:
+        Image|startswith:
+            - 'C:\Program Files (x86)\QtWeb\'
+            - 'C:\Program Files\QtWeb\'
+        Image|endswith: '\QtWeb.exe'
+    filter_main_avant:
+        Image|startswith:
+            - 'C:\Program Files (x86)\Avant Browser\'
+            - 'C:\Program Files\Avant Browser\'
+        Image|endswith: '\avant.exe'
+    filter_main_whatsapp:
+        Image|startswith:
+            - 'C:\Program Files (x86)\WindowsApps\'
+            - 'C:\Program Files\WindowsApps\'
+        Image|endswith: 'WhatsApp.exe'
+    filter_main_telegram:
+        Image|contains: '\AppData\Roaming\Telegram Desktop\'
+        Image|endswith: '\Telegram.exe'
+    filter_main_onedrive:
+        Image|contains: '\AppData\Local\Microsoft\OneDrive\'
+        Image|endswith: '\OneDrive.exe'
+    filter_main_dropbox:
+        Image|startswith:
+            - 'C:\Program Files (x86)\Dropbox\Client\'
+            - 'C:\Program Files\Dropbox\Client\'
+        Image|endswith: '\Dropbox.exe'
+    filter_main_mega:
+        Image|contains: '\AppData\Local\MEGAsync\'
+        Image|endswith: 'MEGAsync.exe'
+    filter_main_googledrive:
+        Image|startswith:
+            - 'C:\Program Files\Google\Drive File Stream\'
+            - 'C:\Program Files (x86)\Google\Drive File Stream\'
+        Image|endswith: 'GoogleDriveFS.exe'
+    filter_main_discord:
+            Image|contains: '\AppData\Local\Discord\'
+            Image|endswith: '\Discord.exe'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
    - One might need to exclude other internet browsers found in it's network or other applications like ones mentioned above from Microsoft Defender.
@@ -0,0 +1,31 @@
+title: Suspicious Ping/Del Command Combination
+id: ded2b07a-d12f-4284-9b76-653e37b6c8b0
+status: experimental
+description: Detects uncommon one liner command having ping and copy at the same time usually used by malware.
+references:
+    - Internal Research
+author: X__Junior (Nextron Systems)
+date: 2023/07/18
+tags:
+    - attack.defense_evasion
+    - attack.t1070.004
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    # Note: In the case of sysmon and similar logging utilities, see this discussion https://github.com/SigmaHQ/sigma/discussions/4277
+    selection_cmd:
+        - Image|endswith: '\cmd.exe'
+        - OriginalFileName: 'Cmd.Exe'
+    selection_cli:
+        CommandLine|contains: # Count
+            - ' -n '
+            - ' /n '
+        CommandLine|contains|all:
+            - 'ping' # Covers "ping" and "ping.exe"
+            - 'copy '
+            - ' /y '
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: medium
@@ -17,6 +17,7 @@ logsource:
    category: process_creation
    product: windows
 detection:
+    # Note: In the case of sysmon and similar logging utilities, see this discussion https://github.com/SigmaHQ/sigma/discussions/4277
    # Example: "C:\Windows\System32\cmd.exe"  /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "C:\Users\User\Desktop\lockbit\lockbit.exe" & Del /f /q "C:\Users\User\Desktop\lockbit\lockbit.exe".
    selection_count:
        CommandLine|contains:
@@ -0,0 +1,24 @@
+title: Insecure Transfer Via Curl.EXE
+id: cb9cc1d1-e84e-4bdc-b7ad-c31b1b7908ec
+status: experimental
+description: Detects execution of "curl.exe" with the "--insecure" flag.
+references:
+    - Internal Research
+author: X__Junior (Nextron Systems)
+date: 2023/06/30
+tags:
+    - attack.execution
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    selection_img:
+        - Image|endswith: '\curl.exe'
+        - OriginalFileName: 'curl.exe'
+    selection_cli:
+        - CommandLine|re: '\s-k\s'
+        - CommandLine|contains: '--insecure'
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: medium
@@ -3,7 +3,6 @@ id: cd5cfd80-aa5f-44c0-9c20-108c4ae12e3c
 status: test
 description: Detects the addition of a new rule to the Windows firewall via netsh
 references:
-    - https://attack.mitre.org/software/S0246/ (Lazarus HARDRAIN)
    - https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf
 author: Markus Neis, Sander Wiebing
 date: 2019/01/29
@@ -11,6 +10,7 @@ modified: 2023/02/10
 tags:
    - attack.defense_evasion
    - attack.t1562.004
+    - attack.s0246
 logsource:
    category: process_creation
    product: windows
@@ -33,5 +33,5 @@ detection:
    condition: all of selection_* and not 1 of filter_*
 falsepositives:
    - Legitimate administration activity
-    - Software installations and removal
+    - Software installations
 level: medium
@@ -0,0 +1,28 @@
+title: Firewall Rule Update Via Netsh.EXE
+id: cd5cfd80-aa5f-44c0-9c20-108c4ae12e3c
+status: test
+description: Detects execution of netsh with the "advfirewall" and the "set" option in order to set new values for properties of a existing rule
+references:
+    - https://ss64.com/nt/netsh.html
+author: X__Junior (Nextron Systems)
+date: 2023/07/18
+tags:
+    - attack.defense_evasion
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - Image|endswith: '\netsh.exe'
+        - OriginalFileName: 'netsh.exe'
+    selection_cli:
+        CommandLine|contains|all:
+            # Example 1: netsh advfirewall firewall set rule "group=\"Network Discovery\" " new enable=Yes"
+            # Example 2: netsh advfirewall firewall set rule "group=\"File and Printer Sharing\" " new enable=Yes"
+            - ' firewall '
+            - ' set '
+    condition: all of selection_*
+falsepositives:
+    - Legitimate administration activity
+    - Software installations and removal
+level: medium
@@ -0,0 +1,39 @@
+title: PowerShell Execution With Potential Decryption Capabilities
+id: 434c08ba-8406-4d15-8b24-782cb071a691
+status: experimental
+description: Detects powershell command that decrypts an ".LNK" "file to drop next stage of the malware.
+references:
+    - https://research.checkpoint.com/2023/chinese-threat-actors-targeting-europe-in-smugx-campaign/
+author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
+date: 2023/06/30
+tags:
+    - attack.execution
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    selection_img:
+        Image|endswith:
+            - '\powershell.exe'
+            - '\pwsh.exe'
+        OriginalFileName:
+            - 'PowerShell.EXE'
+            - 'pwsh.dll'
+    selection_cli_dir:
+        CommandLine|contains:
+            - "Get-ChildItem "
+            - "dir "
+    selection_cli_gc:
+        CommandLine|contains:
+            - "Get-Content "
+            - "gc "
+    selection_cli_specific:
+        CommandLine|contains|all:
+            - ' ^| '
+            - '\*.lnk'
+            - '-Recurse'
+            - '-Skip '
+    condition: selection
+falsepositives:
+    - Unlikely
+level: high
@@ -1,12 +1,14 @@
-title: Scheduled Task Executing Powershell Encoded Payload from Registry
-id: c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78
-status: test
-description: Detects the creation of a schtask that executes a base64 encoded payload stored in the Windows Registry using PowerShell.
+title: Scheduled Task Executing Payload from Registry
+id: 86588b36-c6d3-465f-9cee-8f9093e07798
+related:
+    - id: c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78
+      type: derived
+status: experimental
+description: Detects the creation of a schtasks that potentially executes a payload stored in the Windows Registry using PowerShell.
 references:
    - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
-author: pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport
-date: 2022/02/12
-modified: 2023/02/04
+author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
+date: 2023/07/18
 tags:
    - attack.execution
    - attack.persistence
@@ -20,17 +22,23 @@ detection:
        # schtasks.exe /Create /F /TN "{97F2F70B-10D1-4447-A2F3-9B070C86E261}" /TR "cmd /c start /min \"\" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\SOFTWARE\Pvoeooxf).yzbbvhhdypa))) " /SC MINUTE /MO 30
        - Image|endswith: '\schtasks.exe'
        - OriginalFileName: 'schtasks.exe'
-    selection_cli:
-        CommandLine|contains|all:
-            - '/Create'
-            - 'FromBase64String'
+    selection_cli_create:
+        CommandLine|contains: '/Create'
+    selection_cli_get:
+        CommandLine|contains:
            - 'Get-ItemProperty'
+            - ' gp ' # Alias
+    selection_cli_hive:
        CommandLine|contains:
            - 'HKCU:'
            - 'HKLM:'
            - 'registry::'
            - 'HKEY_'
-    condition: all of selection_*
+    filter_main_encoding:
+        CommandLine|contains:
+            - 'FromBase64String'
+            - 'encodedcommand'
+    condition: all of selection_* and not 1 of filter_*
 falsepositives:
-    - Unlikely
-level: high
+    - Unknown
+level: medium
@@ -0,0 +1,42 @@
+title: Scheduled Task Executing Encoded Payload from Registry
+id: c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78
+status: test
+description: Detects the creation of a schtask that potentially executes a base64 encoded payload stored in the Windows Registry using PowerShell.
+references:
+    - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
+author: pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport, X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
+date: 2022/02/12
+modified: 2023/02/04
+tags:
+    - attack.execution
+    - attack.persistence
+    - attack.t1053.005
+    - attack.t1059.001
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    selection_img:
+        # schtasks.exe /Create /F /TN "{97F2F70B-10D1-4447-A2F3-9B070C86E261}" /TR "cmd /c start /min \"\" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\SOFTWARE\Pvoeooxf).yzbbvhhdypa))) " /SC MINUTE /MO 30
+        - Image|endswith: '\schtasks.exe'
+        - OriginalFileName: 'schtasks.exe'
+    selection_cli_create:
+        CommandLine|contains: '/Create'
+    selection_cli_encoding:
+        CommandLine|contains:
+            - 'FromBase64String'
+            - 'encodedcommand'
+    selection_cli_get:
+        CommandLine|contains:
+            - 'Get-ItemProperty'
+            - ' gp ' # Alias
+    selection_cli_hive:
+        CommandLine|contains:
+            - 'HKCU:'
+            - 'HKLM:'
+            - 'registry::'
+            - 'HKEY_'
+    condition: all of selection_*
+falsepositives:
+    - Unlikely
+level: high
@@ -0,0 +1,27 @@
+title: Suspicious Process Execution From Fake Recycle.Bin Folder
+id: 5ce0f04e-3efc-42af-839d-5b3a543b76c0
+related:
+    - id: 1fea93a2-1524-4a3c-9828-3aa0c2414e27
+      type: derived
+status: experimental
+description: Detects process execution from a fake recycle bin folder, often used to avoid security solution.
+references:
+    - https://www.mandiant.com/resources/blog/infected-usb-steal-secrets
+author: X__Junior (Nextron Systems)
+date: 2023/07/12
+tags:
+    - attack.persistence
+    - attack.defense_evasion
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|contains:
+            - ':\RECYCLERS.BIN\'
+            - ':\RECYCLER.BIN\'
+            - ':\RECYCLE.BIN\'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
@@ -0,0 +1,27 @@
+title: Potential ReflectDebugger Content Execution Via WerFault.EXE
+id: fabfb3a7-3ce1-4445-9c7c-3c27f1051cdd
+related:
+    - id: 0cf2e1c6-8d10-4273-8059-738778f981ad
+      type: derived
+status: experimental
+description: Detects execution of "WerFault.exe" with the "-pr" commandline flag that is used to run files stored in ReflectDebugger key which could be store malware path
+references:
+    - https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html
+    - https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/
+author: X__Junior (Nextron Systems)
+date: 2023/06/30
+tags:
+    - attack.execution
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    selection_img:
+        - Image|endswith: '\WerFault.exe'
+        - OriginalFileName: 'WerFault.exe'
+    selection_cli:
+        CommandLine|contains: ' -pr '
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: medium
@@ -0,0 +1,26 @@
+title: Potential WerFault ReflectDebugger Registry Value Abuse
+id: 0cf2e1c6-8d10-4273-8059-738778f981ad
+related:
+    - id: fabfb3a7-3ce1-4445-9c7c-3c27f1051cdd
+      type: derived
+status: experimental
+description: Detects Potential WerFault "ReflectDebugger" registry value abuse for persistence.
+references:
+    - https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html
+    - https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/
+author: X__Junior
+date: 2023/05/18
+tags:
+    - attack.defense_evasion
+    - attack.t1036.003
+logsource:
+    category: registry_set
+    product: windows
+detection:
+    selection:
+        EventType: 'SetValue'
+        TargetObject|endswith: '\Microsoft\Windows\Windows Error Reporting\Hangs\ReflectDebugger'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high