LoFP LoFP / legit application crash with rare werfault commandline value

Techniques

Sample rules

Potential Windows Error Manager Masquerading

Description

Identifies suspicious instances of the Windows Error Reporting process (WerFault.exe or Wermgr.exe) with matching command-line and process executable values performing outgoing network connections. This may be indicative of a masquerading attempt to evade suspicious child process behavior detections.

Detection logic

sequence by host.id, process.entity_id with maxspan = 5s
  [process where host.os.type == "windows" and event.type:"start" and process.name : ("wermgr.exe", "WerFault.exe") and
    (process.args_count == 1 and
      /* Excludes bug where a missing closing quote sets args_count to 1 despite extra args */
      not process.command_line regex~ """\".*\.exe[^\"].*""")]
  [network where host.os.type == "windows" and process.name : ("wermgr.exe", "WerFault.exe") and network.protocol != "dns" and
    network.direction : ("outgoing", "egress") and destination.ip !="::1" and destination.ip !="127.0.0.1"
  ]