The hypothesis is that an adversary is leveraging the Windows Error Reporting (WER) components, specifically WerFault.exe and Wer.dll, to execute malicious code by placing them in non-standard directories to evade detection. SOC teams should proactively hunt for this behavior in Azure Sentinel because the unusual placement of these files indicates potential exploitation of WER mechanisms for persistence or execution, which is a common tactic in advanced persistent threats.
Detection Rule
title: Creation of WerFault.exe/Wer.dll in Unusual Folder
id: 28a452f3-786c-4fd8-b8f2-bddbe9d616d1
status: test
description: Detects the creation of a file named "WerFault.exe" or "wer.dll" in an uncommon folder, which could be a sign of WerFault DLL hijacking.
references:
- https://www.bleepingcomputer.com/news/security/hackers-are-now-hiding-malware-in-windows-event-logs/
author: frack113
date: 2022-05-09
modified: 2025-12-03
tags:
- attack.privilege-escalation
- attack.persistence
- attack.defense-evasion
- attack.t1574.001
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith:
- '\WerFault.exe'
- '\wer.dll'
filter_main_known_locations:
TargetFilename|startswith:
- 'C:\Windows\SoftwareDistribution\'
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
- 'C:\Windows\WinSxS\'
- 'C:\Windows\UUS\arm64\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
imFileEvent
| where (TargetFileName endswith "\\WerFault.exe" or TargetFileName endswith "\\wer.dll") and (not((TargetFileName startswith "C:\\Windows\\SoftwareDistribution\\" or TargetFileName startswith "C:\\Windows\\System32\\" or TargetFileName startswith "C:\\Windows\\SysWOW64\\" or TargetFileName startswith "C:\\Windows\\WinSxS\\" or TargetFileName startswith "C:\\Windows\\UUS\\arm64\\")))Scenario: Windows Error Reporting (WER) Service Configuration
Description: The Windows Error Reporting service may create WerFault.exe or Wer.dll in non-standard directories during configuration or updates.
Filter/Exclusion: Exclude files created in the C:\Windows\Temp directory or within the C:\Windows\System32 folder, or files with a creation timestamp within the last 24 hours.
Scenario: Scheduled Task for System Diagnostics
Description: A legitimate scheduled task may generate WerFault.exe or Wer.dll in a temporary directory as part of system diagnostics or crash dump collection.
Filter/Exclusion: Exclude files created by processes associated with schtasks.exe or with a parent process matching Task Scheduler or Taskhost.exe.
Scenario: Windows Update or Patching Process
Description: During Windows updates or patching, temporary files including WerFault.exe or Wer.dll may be created in non-standard locations.
Filter/Exclusion: Exclude files created by processes with a parent process name of svchost.exe or wuauserv.exe, or within the C:\Windows\SoftwareDistribution directory.
Scenario: Microsoft System File Checker (SFC) Scan
Description: The System File Checker tool may temporarily create WerFault.exe or Wer.dll in a non-standard directory during a repair scan.
Filter/Exclusion: Exclude files created by processes with a parent process name of msdtc.exe or sfc.exe, or within the C:\Windows\Temp directory.
Scenario: Antivirus or Security Software Scan
Description: Some antivirus or endpoint security tools may create WerFault.exe or Wer.dll in temporary directories during a scan or quarantine process.