Detectionhightest

Potential WerFault ReflectDebugger Registry Value Abuse

Detects potential WerFault "ReflectDebugger" registry value abuse for persistence.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

X__JuniorCreated Thu May 180cf2e1c6-8d10-4273-8059-738778f981adwindows

Log Source

WindowsRegistry Set

ProductWindows← raw: windows

CategoryRegistry Set← raw: registry_set

Detection Logic

detection:
    selection:
        TargetObject|endswith: '\Microsoft\Windows\Windows Error Reporting\Hangs\ReflectDebugger'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion

Sub-techniques

T1036.003 · Rename System Utilities

Related Rules

DerivedDetectionmedium

Potential ReflectDebugger Content Execution Via WerFault.EXE

Detects execution of "WerFault.exe" with the "-pr" commandline flag that is used to run files stored in the ReflectDebugger key which could be used to store the path to the malware in order to masquerade the execution flow

This rule was derived from the related rule - both detect similar activity with different scope.

Rule Metadata

Rule ID

0cf2e1c6-8d10-4273-8059-738778f981ad

Status

test

Level

high

Type

Detection

Created

Thu May 18

Author

X__Junior

Path

rules/windows/registry/registry_set/registry_set_persistence_reflectdebugger.yml

Raw Tags

attack.defense-evasionattack.t1036.003

View on GitHub