Potential ReflectDebugger Content Execution Via WerFault.EXE (fabfb3a7-3ce1-4445-9c7c-3c27f1051cdd)
Detects execution of "WerFault.exe" with the "-pr" commandline flag that is used to run files stored in the ReflectDebugger key which could be used to store the path to the malware in order to masquerade the execution flow
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) | Attack Pattern | Potential ReflectDebugger Content Execution Via WerFault.EXE (fabfb3a7-3ce1-4445-9c7c-3c27f1051cdd) | Sigma-Rules | 1 |