From b269362b1bf5b9bccfad90acb7824a99f143e01d Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Fri, 29 Nov 2024 20:15:15 +0000 Subject: [PATCH] Sigma Rule Update (2024-11-29 20:15:09) (#783) Co-authored-by: hach1yon --- .../file_event_win_werfault_dll_hijacking.yml | 20 ++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/sigma/sysmon/file/file_event/file_event_win_werfault_dll_hijacking.yml b/sigma/sysmon/file/file_event/file_event_win_werfault_dll_hijacking.yml index 3b3b3b6fb..7dd8a004d 100644 --- a/sigma/sysmon/file/file_event/file_event_win_werfault_dll_hijacking.yml +++ b/sigma/sysmon/file/file_event/file_event_win_werfault_dll_hijacking.yml @@ -1,14 +1,15 @@ -title: Creation of an WerFault.exe in Unusual Folder +title: Creation of WerFault.exe/Wer.dll in Unusual Folder id: 9b429517-f998-5ff2-0d42-88171bd63546 related: - id: 28a452f3-786c-4fd8-b8f2-bddbe9d616d1 type: derived status: test -description: Detects WerFault copoed to a suspicious folder, which could be a sign of WerFault DLL hijacking +description: Detects the creation of a file named "WerFault.exe" or "wer.dll" in an uncommon folder, which could be a sign of WerFault DLL hijacking. references: - https://www.bleepingcomputer.com/news/security/hackers-are-now-hiding-malware-in-windows-event-logs/ author: frack113 date: 2022-05-09 +modified: 2024-11-28 tags: - attack.persistence - attack.defense-evasion @@ -25,13 +26,14 @@ detection: TargetFilename|endswith: - \WerFault.exe - \wer.dll - filter_whitelist: - TargetFilename|contains: - - \System32\ - - \SysWOW64\ - - \WinSxS\ - condition: file_event and (selection and not filter_whitelist) + filter_main_known_locations: + TargetFilename|startswith: + - C:\Windows\SoftwareDistribution\ + - C:\Windows\System32\ + - C:\Windows\SysWOW64\ + - C:\Windows\WinSxS\ + condition: file_event and (selection and not 1 of filter_main_*) falsepositives: - Unknown -level: high +level: medium ruletype: Sigma