security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rule] Suspicious WerFault Child Process (#212)

Browse Source 
* [New Rule] Suspicious WerFault Child Process

* Update defense_evasion_masquerading_suspicious_werfault_childproc.toml

* Update defense_evasion_masquerading_suspicious_werfault_childproc.toml

* Update defense_evasion_masquerading_suspicious_werfault_childproc.toml

* Update defense_evasion_masquerading_suspicious_werfault_childproc.toml

* Update defense_evasion_masquerading_suspicious_werfault_childproc.toml

* Update rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update defense_evasion_masquerading_suspicious_werfault_childproc.toml

* linted

* Update defense_evasion_masquerading_suspicious_werfault_childproc.toml

* Update rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
This commit is contained in:
Samirbous
2020-09-22 14:32:04 +02:00
committed by GitHub
parent 96992b3ae6
commit 42247efc3b
1 changed files with 46 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml
+46
View File
@@ -0,0 +1,46 @@
[metadata]
creation_date = "2020/08/24"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/08/24"
[rule]
author = ["Elastic"]
description = """
A suspicious WerFault child process was detected, which may indicate an attempt to run unnoticed. Verify process details
such as command line, network connections, file writes and parent process details as well.
"""
false_positives = ["Custom Windows Error Reporting Debugger"]
index = ["winlogbeat-*", "logs-endpoint.events.*"]
language = "kuery"
license = "Elastic License"
name = "Suspicious WerFault Child Process"
references = [
"https://www.hexacorn.com/blog/2019/09/19/silentprocessexit-quick-look-under-the-hood/",
"https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx",
]
risk_score = 47
rule_id = "ac5012b8-8da8-440b-aaaf-aedafdea2dff"
severity = "medium"
tags = ["Elastic", "Windows"]
type = "query"
query = '''
event.category:process and event.type:(start or process_started) and
process.parent.name:WerFault.exe and
not process.name:(cofire.exe or psr.exe or VsJITDebugger.exe or TTTracer.exe or rundll32.exe)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1036"
name = "Masquerading"
reference = "https://attack.mitre.org/techniques/T1036/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"