Techniques
Sample rules
Potential Windows Error Manager Masquerading
- source: elastic
- technicques:
- T1036
Description
Identifies suspicious instances of the Windows Error Reporting process (WerFault.exe or Wermgr.exe) with matching command-line and process executable values performing outgoing network connections. This may be indicative of a masquerading attempt to evade suspicious child process behavior detections.
Detection logic
sequence by host.id, process.entity_id with maxspan = 5s
[process where host.os.type == "windows" and event.type:"start" and process.name : ("wermgr.exe", "WerFault.exe") and
(process.args_count == 1 and
/* Excludes bug where a missing closing quote sets args_count to 1 despite extra args */
not process.command_line regex~ """\".*\.exe[^\"].*""")]
[network where host.os.type == "windows" and process.name : ("wermgr.exe", "WerFault.exe") and network.protocol != "dns" and
network.direction : ("outgoing", "egress") and destination.ip !="::1" and destination.ip !="127.0.0.1"
]