From bc74838c0b22a13cbcdef3bfd61c012880be87e4 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Thu, 18 Mar 2021 15:08:44 +0100 Subject: [PATCH] [Rule Tuning] Suspicious WerFault Child Process (#990) * [Rule Tuning] Suspicious WerFault Child Process * Update rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> --- ...vasion_masquerading_suspicious_werfault_childproc.toml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml b/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml index 2fb9f6b79..06ef83398 100644 --- a/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml +++ b/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/24" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/03/08" [rule] author = ["Elastic"] @@ -9,7 +9,7 @@ description = """ A suspicious WerFault child process was detected, which may indicate an attempt to run unnoticed. Verify process details such as command line, network connections, file writes and parent process details as well. """ -false_positives = ["Custom Windows Error Reporting Debugger"] +false_positives = ["Custom Windows error reporting debugger or applications restarted by WerFault after a crash."] from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" @@ -30,7 +30,8 @@ type = "query" query = ''' event.category:process and event.type:(start or process_started) and process.parent.name:WerFault.exe and - not process.name:(cofire.exe or psr.exe or VsJITDebugger.exe or TTTracer.exe or rundll32.exe) + not process.name:(cofire.exe or psr.exe or VsJITDebugger.exe or TTTracer.exe or rundll32.exe or LogiOptionsMgr.exe) and + not process.args:("/LOADSAVEDWINDOWS" or "/restore" or RestartByRestartManager* or "--restarted" or createdump or dontsend or /watson) ''' @@ -46,4 +47,3 @@ reference = "https://attack.mitre.org/techniques/T1036/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -