legit application crash with rare werfault commandline value

Techniques

T1036

Sample rules

Potential Windows Error Manager Masquerading

source: elastic
technicques:
- T1036

Description

Identifies suspicious instances of the Windows Error Reporting process (WerFault.exe or Wermgr.exe) with matching command-line and process executable values performing outgoing network connections. This may be indicative of a masquerading attempt to evade suspicious child process behavior detections.

Detection logic

sequence by host.id, process.entity_id with maxspan = 5s
  [process where host.os.type == "windows" and event.type:"start" and process.name : ("wermgr.exe", "WerFault.exe") and
    (process.args_count == 1 and
      /* Excludes bug where a missing closing quote sets args_count to 1 despite extra args */
      not process.command_line regex~ """\".*\.exe[^\"].*""")]
  [network where host.os.type == "windows" and process.name : ("wermgr.exe", "WerFault.exe") and network.protocol != "dns" and
    network.direction : ("outgoing", "egress") and destination.ip !="::1" and destination.ip !="127.0.0.1"
  ]