Techniques
Sample rules
Suspicious WerFault Child Process
- source: elastic
- technicques:
- T1036
- T1546
Description
A suspicious WerFault child process was detected, which may indicate an attempt to run via the SilentProcessExit registry key manipulation. Verify process details such as command line, network connections and file writes.
Detection logic
process where host.os.type == "windows" and event.type == "start" and
process.parent.name : "WerFault.exe" and
/* args -s and -t used to execute a process via SilentProcessExit mechanism */
(process.parent.args : "-s" and process.parent.args : "-t" and process.parent.args : "-c") and
not process.executable : ("?:\\Windows\\SysWOW64\\Initcrypt.exe", "?:\\Program Files (x86)\\Heimdal\\Heimdal.Guard.exe")