Creation of WerFault.exe/Wer.dll in Unusual Folder (28a452f3-786c-4fd8-b8f2-bddbe9d616d1)

Detects the creation of a file named "WerFault.exe" or "wer.dll" in an uncommon folder, which could be a sign of WerFault DLL hijacking.

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Creation of WerFault.exe/Wer.dll in Unusual Folder (28a452f3-786c-4fd8-b8f2-bddbe9d616d1)	Sigma-Rules	DLL Search Order Hijacking - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34)	Attack Pattern	1
DLL Search Order Hijacking - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34)	Attack Pattern	Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6)	Attack Pattern	2