Detectionhightest

Potential Credential Dumping Via WER

Detects potential credential dumping via Windows Error Reporting LSASS Shtinkering technique which uses the Windows Error Reporting to dump lsass

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

@pbssubhash, Nasreddine Bencherchali (Nextron Systems)Created Thu Dec 08Updated Fri Dec 099a4ccd1a-3526-4d99-b980-9f9c5d3a6ff3windows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection_img:
        - Image|endswith: '\Werfault.exe'
        - OriginalFileName: 'WerFault.exe'
    selection_cli:
        ParentUser|contains: # covers many language settings
            - 'AUTHORI'
            - 'AUTORI'
        User|contains:
            - 'AUTHORI'
            - 'AUTORI'
        CommandLine|contains|all:
            # Doc: WerFault.exe -u -p <target process> -ip <source process> -s <file mapping handle>
            # Example: C:\Windows\system32\Werfault.exe -u -p 744 -ip 1112 -s 244
            # If the source process is not equal to the target process and the target process is LSASS then this is an indication of this technique
            # Example: If the "-p" points the PID of "lsass.exe" and "-ip" points to a different process than "lsass.exe" then this is a sign of malicious activity
            - ' -u -p '
            - ' -ip '
            - ' -s '
    filter_lsass:
        ParentImage: 'C:\Windows\System32\lsass.exe'
    condition: all of selection_* and not 1 of filter_*