Created
January 8, 2024 18:03
-
-
Save jpluimers/7d6034602f3ebb7ac1fbf61d1f9dfa99 to your computer and use it in GitHub Desktop.
WerFault.exe screenshot OCR of the images in https://twitter.com/0gtweet/status/1744399577791201382
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Event Properties - Event 1, Sysmon | |
General Details | |
Process Create: | |
RuleName: - | |
UtcTime: 2024-01-08 16:28:07.892 | |
ProcessGuid: {b566ceed-2297-659c-9f78-030000005700} | |
Processid: 42396 | |
Image: C:\Windows\System32\WerFault.exe | |
FileVersion: 10.0.19041.3636 (WinBuild.160101.0800) | |
Description: Windows Problem Reporting | |
Product: Microsoft® Windows® Operating System | |
Company: Microsoft Corporation | |
OriginalFileName: WerFault.exe | |
CommandLine: C:\Windows\system32\WerFault.exe -u -p 41292 -s 184 | |
CurrentDirectory: C:\Windows\system32\ | |
User: AzureAD\Grzegorz Tworek | |
LogonGuid: (b566ceed-e5e3-6578-21f4-230000000000} | |
Logonid: 0x23F421 | |
TerminalSessionld: 1 | |
IntegrityLevel: High | |
Hashes: MD5=CEAD0523EFB1D9C1474E0D3D507AE0FC | |
ParentProcessGuid: (b566ceed-2297-659c-9b78-030000005700) | |
ParentProcessld: 41292 | |
Parentimage: C:\temp\wer1\Crash1.exe | |
ParentCommandLine: Crash1.exe | |
ParentUser: AzureAD\Grzegorz Tworek |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Event Properties - Event 1, Kernel-Process | |
General | |
Details | |
Friendly View | |
XML View | |
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> | |
<System> | |
<Provider Name="Microsoft-Windows-Kernel-Process" Guid="{22fb2cd6-0e7b-422b-a0c7- 2fad1fd0e716}" /> | |
<EventID>1</EventID> | |
<Version>3</Version> | |
<Level>4</Level> | |
<Task>1</Task> | |
<Opcode>1</Opcode> | |
<Keywords>0x8000000000000010</Keywords> | |
<TimeCreated SystemTime="2024-01-08T16:28:07.8461869Z" /> | |
<EventRecordID>18</EventRecordID> | |
<Correlation /> | |
<Execution ProcessID="22812" ThreadID="42592" /> | |
<Channel /> | |
<Computer>NUC</Computer> | |
<Security /> | |
</System> | |
<EventData> | |
<Data Name="ProcessID">29764</Data> | |
<Data Name="ProcessSequenceNumber">227485</Data> | |
<Data Name="CreateTime">2024-01-08T16:28:07.8461556Z</Data> | |
<Data Name="ParentProcessID">22812</Data> | |
<Data Name="ParentProcessSequenceNumber">227484</Data> | |
<Data Name="SessionID">0</Data> | |
<Data Name="Flags">0</Data> | |
<Data Name="ProcessTokenElevationType">1</Data> | |
<Data Name="ProcessTokenIsElevated">1</Data> | |
<Data Name="MandatoryLabel">S-1-16-16384</Data> | |
<Data Name="ImageChecksum">625976</Data> | |
<Data Name="ImageName">\Device\HarddiskVolume5\Windows\System32\WerFault.exe</Data> | |
<Data Name="TimeDateStamp">2514205344</Data> | |
<Data Name="PackageFullName" /> | |
<Data Name="PackageRelativeAppId" /> | |
</EventData> | |
</Event> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Event Properties - Event 1, Kernel-Process | |
General | |
Details | |
Friendly View | |
XML View | |
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> | |
<System> | |
<Provider Name="Microsoft-Windows-Kernel-Process" Guid="{22fb2cd6-0e7b-422b-a0c7- | |
2fad1fd0e716}" /> | |
<EventID>1</EventID> | |
<Version>3</Version> | |
<Level>4</Level> | |
<Task>1</Task> | |
<Opcode>1</Opcode> | |
<Keywords>0x8000000000000010</Keywords> | |
<TimeCreated SystemTime="2024-01-08T16:28:07.8139345Z" /> | |
<EventRecordID>17</EventRecordID> | |
<Correlation /> | |
<Execution ProcessID="1236" ThreadID="22836" /> | |
<Channel /> | |
<Computer>NUC</Computer> | |
<Security /> | |
</System> | |
<EventData> | |
<Data Name="ProcessID">22812</Data> | |
<Data Name="ProcessSequenceNumber">227484</Data> | |
<Data Name="CreateTime">2024-01-08T16:28:07.8138709Z</Data> | |
<Data Name="ParentProcessID">1236</Data> | |
<Data Name="ParentProcessSequenceNumber">13</Data> | |
<Data Name="SessionID">0</Data> | |
<Data Name="Flags">0</Data> | |
<Data Name="ProcessTokenElevationType">1</Data> | |
<Data Name="ProcessTokenIsElevated">1</Data> | |
<Data Name="MandatoryLabel">S-1-16-16384</Data> | |
<Data Name="ImageChecksum">84133</Data> | |
<Data Name="ImageName">\Device\Harddisk Volume5\Windows\System32\svchost.exe</Data> | |
<Data Name="TimeDateStamp">304989603</Data> | |
<Data Name="PackageFullName" /> | |
<Data Name="PackageRelativeAppId" /> | |
</EventData> | |
</Event> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Event Properties - Event 1, Kernel-Process | |
General | |
Details | |
Friendly View | |
XML View | |
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> | |
<System> | |
<Provider Name="Microsoft-Windows-Kernel-Process" Guid="{22fb2cd6-0e7b-422b-a0c7- 2fad1fd0e716}" /> | |
<EventID>1</EventID> | |
<Version>3</Version> | |
<Level>4</Level> | |
<Task>1</Task> | |
<Opcode>1</Opcode> | |
<Keywords>0x8000000000000010</Keywords> | |
<TimeCreated SystemTime="2024-01-08T16:28:07.7773984Z" /> | |
<EventRecordID>16</EventRecordID> | |
<Correlation /> | |
<Execution ProcessID="23068" ThreadID="23612" /> | |
<Channel /> | |
<Computer>NUC</Computer> | |
<Security /> | |
</System> | |
<EventData> | |
<Data Name="ProcessID">41292</Data> | |
<Data Name="ProcessSequenceNumber">227483</Data> | |
<Data Name="CreateTime">2024-01-08T16:28:07.7773578Z</Data> | |
<Data Name="ParentProcessID">23068</Data> | |
<Data Name="ParentProcessSequenceNumber">13907</Data> | |
<Data Name="SessionID">1</Data> | |
<Data Name="Flags">0</Data> | |
<Data Name="ProcessTokenElevationType">2</Data> | |
<Data Name="ProcessTokenIsElevated">1</Data> | |
<Data Name="MandatoryLabel">S-1-16-12288</Data> | |
<Data Name="ImageName">\Device\Harddisk Volume5\temp\wer1\Crash1.exe</Data>> | |
<Data Name="ImageChecksum">0</Data> | |
<Data Name="TimeDateStamp">1704729487</Data> | |
<Data Name="PackageFullName" /> | |
<Data Name="PackageRelativeAppId" /> | |
</EventData> | |
</Event> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
From the Tweet
Image 1:
Image 2:
Image 3:
Image 4:
Text:
Did you ever see a faulty process launching WerFault.exe as its child? Well... Windows is cheating! It's not the crashing process job, and the parent PID spoofing happens here.