Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Potential ReflectDebugger Content Execution Via WerFault.EXE

Detects execution of "WerFault.exe" with the "-pr" commandline flag that is used to run files stored in the ReflectDebugger key which could be used to store the path to the malware in order to masquerade the execution flow

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
X__Junior (Nextron Systems)Created Fri Jun 30fabfb3a7-3ce1-4445-9c7c-3c27f1051cddwindows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic2 selectors
detection:
    selection_img:
        - Image|endswith: '\WerFault.exe'
        - OriginalFileName: 'WerFault.exe'
    selection_cli:
        CommandLine|contains: ' -pr '
    condition: all of selection_*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
cocomelonc.github.io
2
Resolving title…
hexacorn.com
MITRE ATT&CK
Related Rules
DerivedDetectionhigh

Potential WerFault ReflectDebugger Registry Value Abuse

Detects potential WerFault "ReflectDebugger" registry value abuse for persistence.

This rule was derived from the related rule - both detect similar activity with different scope.

Rule Metadata
Rule ID
fabfb3a7-3ce1-4445-9c7c-3c27f1051cdd
Status
test
Level
medium
Type
Detection
Created
Fri Jun 30
Author
X__Junior (Nextron Systems)
Path
rules/windows/process_creation/proc_creation_win_werfault_reflect_debugger_exec.yml
Raw Tags
attack.executionattack.defense-evasionattack.t1036
View on GitHub