Techniques
Sample rules
PPL Tampering Via WerFaultSecure
- source: sigma
- technicques:
- t1003
- t1003.001
- t1562
- t1562.001
Description
Detects potential abuse of WerFaultSecure.exe to dump Protected Process Light (PPL) processes like LSASS or to freeze security solutions (EDR/antivirus). This technique is used by tools such as EDR-Freeze and WSASS to bypass PPL protections and access sensitive information or disable security software. Distinct command line patterns help identify the specific tool:
- WSASS usage typically shows: “WSASS.exe WerFaultSecure.exe [PID]” in ParentCommandLine
- EDR-Freeze usage typically shows: “EDR-Freeze_[version].exe [PID] [timeout]” in ParentCommandLine Legitimate debugging operations using WerFaultSecure are rare in production environments and should be investigated.
Detection logic
condition: all of selection_*
selection_args:
CommandLine|contains|all:
- ' /h '
- ' /pid '
- ' /tid '
- ' /encfile '
- ' /cancel '
- ' /type '
- ' 268310'
selection_image:
- Image|endswith: \WerFaultSecure.exe
- OriginalFileName: WerFaultSecure.exe