security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Suspicious WerFault Child Process (#990)

Browse Source 
* [Rule Tuning] Suspicious WerFault Child Process

* Update rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
This commit is contained in:
Samirbous
2021-03-18 15:08:44 +01:00
committed by GitHub
parent 0ca39df508
commit bc74838c0b
1 changed files with 4 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml
+4 -4
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2020/08/24"
maturity = "production"
updated_date = "2021/03/03"
updated_date = "2021/03/08"
[rule]
author = ["Elastic"]
@@ -9,7 +9,7 @@ description = """
A suspicious WerFault child process was detected, which may indicate an attempt to run unnoticed. Verify process details
such as command line, network connections, file writes and parent process details as well.
"""
false_positives = ["Custom Windows Error Reporting Debugger"]
false_positives = ["Custom Windows error reporting debugger or applications restarted by WerFault after a crash."]
from = "now-9m"
index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
language = "kuery"
@@ -30,7 +30,8 @@ type = "query"
query = '''
event.category:process and event.type:(start or process_started) and
process.parent.name:WerFault.exe and
not process.name:(cofire.exe or psr.exe or VsJITDebugger.exe or TTTracer.exe or rundll32.exe)
not process.name:(cofire.exe or psr.exe or VsJITDebugger.exe or TTTracer.exe or rundll32.exe or LogiOptionsMgr.exe) and
not process.args:("/LOADSAVEDWINDOWS" or "/restore" or RestartByRestartManager* or "--restarted" or createdump or dontsend or /watson)
'''
@@ -46,4 +47,3 @@ reference = "https://attack.mitre.org/techniques/T1036/"
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"