From 374f00350761a05cd2b1513cd2f1c625a2189acd Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Fri, 29 Nov 2024 13:06:11 +0100
Subject: [PATCH] Merge PR #5093 from @Neo23x0 - Fix `Creation of
 WerFault.exe/Wer.dll in Unusual Folder`

fix: Creation of WerFault.exe/Wer.dll in Unusual Folder - Add filter for windows update/installation folder `C:\Windows\SoftwareDistribution\`

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
---
 .../file_event_win_werfault_dll_hijacking.yml | 20 ++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/rules/windows/file/file_event/file_event_win_werfault_dll_hijacking.yml b/rules/windows/file/file_event/file_event_win_werfault_dll_hijacking.yml
index b36b0b47bec..dc64f6d294c 100644
--- a/rules/windows/file/file_event/file_event_win_werfault_dll_hijacking.yml
+++ b/rules/windows/file/file_event/file_event_win_werfault_dll_hijacking.yml
@@ -1,11 +1,12 @@
-title: Creation of an WerFault.exe in Unusual Folder
+title: Creation of WerFault.exe/Wer.dll in Unusual Folder
 id: 28a452f3-786c-4fd8-b8f2-bddbe9d616d1
 status: test
-description: Detects WerFault copoed to a suspicious folder, which could be a sign of WerFault DLL hijacking
+description: Detects the creation of a file named "WerFault.exe" or "wer.dll" in an uncommon folder, which could be a sign of WerFault DLL hijacking.
 references:
     - https://www.bleepingcomputer.com/news/security/hackers-are-now-hiding-malware-in-windows-event-logs/
 author: frack113
 date: 2022-05-09
+modified: 2024-11-28
 tags:
     - attack.persistence
     - attack.defense-evasion
@@ -18,12 +19,13 @@ detection:
         TargetFilename|endswith:
             - '\WerFault.exe'
             - '\wer.dll'
-    filter_whitelist:
-        TargetFilename|contains:
-            - '\System32\'
-            - '\SysWOW64\'
-            - '\WinSxS\'
-    condition: selection and not filter_whitelist
+    filter_main_known_locations:
+        TargetFilename|startswith:
+            - 'C:\Windows\SoftwareDistribution\'
+            - 'C:\Windows\System32\'
+            - 'C:\Windows\SysWOW64\'
+            - 'C:\Windows\WinSxS\'
+    condition: selection and not 1 of filter_main_*
 falsepositives:
     - Unknown
-level: high
+level: medium