Sigma Rule Update (2024-11-29 20:15:09) (#783)

Co-authored-by: hach1yon <[email protected]>
Yamato-Security · Nov 29, 2024 · b269362 · b269362
1 parent 2840764
commit b269362
Showing 1 changed file with 11 additions and 9 deletions.
diff --git a/sigma/sysmon/file/file_event/file_event_win_werfault_dll_hijacking.yml b/sigma/sysmon/file/file_event/file_event_win_werfault_dll_hijacking.yml
@@ -1,14 +1,15 @@
-title: Creation of an WerFault.exe in Unusual Folder
+title: Creation of WerFault.exe/Wer.dll in Unusual Folder
 id: 9b429517-f998-5ff2-0d42-88171bd63546
 related:
     - id: 28a452f3-786c-4fd8-b8f2-bddbe9d616d1
       type: derived
 status: test
-description: Detects WerFault copoed to a suspicious folder, which could be a sign of WerFault DLL hijacking
+description: Detects the creation of a file named "WerFault.exe" or "wer.dll" in an uncommon folder, which could be a sign of WerFault DLL hijacking.
 references:
     - https://www.bleepingcomputer.com/news/security/hackers-are-now-hiding-malware-in-windows-event-logs/
 author: frack113
 date: 2022-05-09
+modified: 2024-11-28
 tags:
     - attack.persistence
     - attack.defense-evasion
@@ -25,13 +26,14 @@ detection:
         TargetFilename|endswith:
             - \WerFault.exe
             - \wer.dll
-    filter_whitelist:
-        TargetFilename|contains:
-            - \System32\
-            - \SysWOW64\
-            - \WinSxS\
-    condition: file_event and (selection and not filter_whitelist)
+    filter_main_known_locations:
+        TargetFilename|startswith:
+            - C:\Windows\SoftwareDistribution\
+            - C:\Windows\System32\
+            - C:\Windows\SysWOW64\
+            - C:\Windows\WinSxS\
+    condition: file_event and (selection and not 1 of filter_main_*)
 falsepositives:
     - Unknown
-level: high
+level: medium
 ruletype: Sigma