From 8afda66487fdd28b966b34e53dfb4c5ca3bb2729 Mon Sep 17 00:00:00 2001
From: Samirbous <64742097+Samirbous@users.noreply.github.com>
Date: Wed, 11 Jan 2023 16:41:57 +0000
Subject: [PATCH] [Rule Tuning] Suspicious WerFault Child Process (#2437)

* Update defense_evasion_masquerading_suspicious_werfault_childproc.toml

* Update defense_evasion_masquerading_suspicious_werfault_childproc.toml

* Update defense_evasion_masquerading_suspicious_werfault_childproc.toml
---
 ...erading_suspicious_werfault_childproc.toml | 30 ++++++++-----------
 1 file changed, 12 insertions(+), 18 deletions(-)

diff --git a/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml b/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml
index f2d787fb0..2a0c2aafb 100644
--- a/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml
+++ b/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml
@@ -4,13 +4,13 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2022/12/21"
 
 [rule]
 author = ["Elastic"]
 description = """
-A suspicious WerFault child process was detected, which may indicate an attempt to run unnoticed. Verify process details
-such as command line, network connections, file writes and parent process details as well.
+A suspicious WerFault child process was detected, which may indicate an attempt to run via the SilentProcessExit 
+registry key manipulation. Verify process details such as command line, network connections and file writes.
 """
 false_positives = ["Custom Windows error reporting debugger or applications restarted by WerFault after a crash."]
 from = "now-9m"
@@ -24,6 +24,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
 """
 references = [
     "https://www.hexacorn.com/blog/2019/09/19/silentprocessexit-quick-look-under-the-hood/",
+    "https://www.hexacorn.com/blog/2019/09/20/werfault-command-line-switches-v0-1/",
     "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx",
     "https://blog.menasec.net/2021/01/",
 ]
@@ -35,21 +36,14 @@ timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-process where event.type == "start" and
-  process.parent.name : "WerFault.exe" and
-  not process.name : ("cofire.exe",
-                      "psr.exe",
-                      "VsJITDebugger.exe",
-                      "TTTracer.exe",
-                      "rundll32.exe",
-                      "LogiOptionsMgr.exe") and
-  not process.args : ("/LOADSAVEDWINDOWS",
-                      "/restore",
-                      "RestartByRestartManager*",
-                      "--restarted",
-                      "createdump",
-                      "dontsend",
-                      "/watson")
+process where event.type == "start" and 
+
+  process.parent.name : "WerFault.exe" and 
+  
+  /* args -s and -t used to execute a process via SilentProcessExit mechanism */
+  (process.parent.args : "-s" and process.parent.args : "-t" and process.parent.args : "-c") and 
+  
+  not process.executable : ("?:\\Windows\\SysWOW64\\Initcrypt.exe", "?:\\Program Files (x86)\\Heimdal\\Heimdal.Guard.exe")
 '''