You are browsing the archive for threat hunting.

WerFault – command line switches v0.1

September 20, 2019 in EDR, threat hunting

I posted about werfault.exe a couple of times before. Some of the posts focused on persistence mechanisms, some on lolbinish behavior, but I thought it would be good to dedicate some time to describe the actual command line arguments this program accepts…


In my opinion werfault.exe accepts the most bizarre command line arguments combos on Windows platform ever. And despite werfault.exe process being executed so many times we are yet to see a comprehensive description of the switches it relies on. And what makes them stand out is that:

  • at a first glance, they look completely random
  • they use / rely on a bunch of weird, unusual and undocumented arguments, and finally,
  • many of them expect values in a numerical, often hexadecimal format that confuse every single analyst that ever put their eyes on it…

The below summary is my first attempt to take a stab at this topic so it may not be the most complete reference, BUT… we have to start somewhere.

The key to understanding werfault.exe command line arguments is to focus on the first switch being used. Yes, the very first thing werfault.exe is doing when it’s invoked it is checking the why:

  • -e: SQM Escalation
    • -e -p <num> -t <num> -r <num> -a <num> -f <num>
    • -e -p <num> -t <num> -r <num> -a <num> -f <num> -h <num>
  • -k : kernel-related
    • -k -lc <dump file name>
    • -k -lcq
    • -k -q
    • -k -rq
    • -k -l <string> <string> — live kernel
    • -k -lc <string> <string> — live kernel
  • -p: ?
    • -p <num> -h <num>
  • -pr: ?
  • -pss: ?
  • -s: process executed via SilentProcessExit mechanism
    • -s -t <num> -i <num> -e <num> -c <num>
  • -u : user mode
    • -u -p <num> -s <num>
  • /h – elevated hang reporting
    • /h /shared <shared>
    • /h /shared <shared> /t <num> /p <num>
  • /hc – ?
  • ??? -nonelevated – ??

The command line switch separator (- or /) that I listed above is actually important and its hardcoded form is what the program expects and compares against. This is somehow unusual and it escapes a typical pattern we are familiar with (either of these two characters – or / are commonly accepted as switch indicators).

I am aware of many other command line switches, but I am still browsing through the code, so I will update this post when I get more info.

What’s the lessons learned here?

If you see werfault.exe process in Sysmon or 4688 logs try to figure out what their execution is indicating. Sometimes, they may be an early warning of malware trying to do something that is prohibited on newer versions of Windows, but was fully acceptable on older. Also, if any program crashes, and it involves werfault.exe, you can use it to provide a feedback to the vendor/software developer…

There is literally a lot of goodness that can come out from looking at werfault.exe process invocations in general. Whatever crashes, hangs, breaks usual patterns is always an interesting thing to look at.

That’s a very fine Chardonnay you’re not drinking

August 26, 2019 in threat hunting


This post is vague on names, vendors, products. Simple reason: I don’t want to get sued.

However, I give you all the tools to go and find the vendors that abuse the trust ‘your’ users put in them.

Old Post

This post is an attempt to look at a threat that is often overlooked in our typical threat hunting scenarios: unintended data leakage.

Unintended means that users do not have any plan to steal a data and ruin a company. They simply lack the technical knowledge that would allow them to assess the risk of installing certain applications. Who am I kidding. It’s not only non-techies falling for it, but also more technical people as well. I saw evidence of the latter on a number of occasions. Yup, and the evidence includes yours truly.

How do we leak data in an unintended way?

The simplest example is the auto-complete/auto-suggest functionality. As you type stuff in various search boxes (OS, browser address bar, search bar, etc.), the data is often sent key by key to some remote server instantly. In return, a suggested word can be provided and the editor can help us to type faster by ‘guessing’ what the next word will be. This is a great and handy functionality, but the risk is that you may accidentally paste something sensitive and hit Enter. It did happen to me on more than one occasion over the years. I tend to flip between many windows pretty quickly, and sometimes such automation mode fails me. Additionally, if I work between two different OSes e.g. Windows and MAC, and with many host/guest combos my strong habits on one OS don’t translate well to the others. As such, wrong combinations of keys lead to a booboo. I developed a habit now that I always look at the search box before I hit enter, but I wouldn’t say this is a foolproof solution…

We can argue that these are just accidents and can be handled quickly. I agree. I wanted to describe a trivial case before I go to a more interesting area: the software.

There is a group of software that relies on a heavy interaction with servers for a very simple reason: it works using the same principles like auto-complete/auto-suggest functionality, but applies it not to typed keys only, but pretty much everything that has a textual form.

By now, I guess you know what I am talking about — translation, and with a lower impact – spelling, and grammar correction software, text to speech, voice to text software, as well as many online document converters (e.g. DOC to PDF).

I will focus on describing a translation software only, but many of aspects covered below apply to other software too & similar threat hunting techniques can be used to find them.

From a purely technical perspective, many of translation applications/plug-ins use techniques that are very similar to ones you expect from a proper keylogger. They monitor keys entered from a keyboard, they monitor a clipboard, they monitor active / foreground windows as well as mouse cursor position to know where to grab a text from. Some of them go as far as using ScreenOCR/ScreenICR to grab a text from pictures, or custom controls that don’t support text retrieval via any API. They also install add-ins, plug-ins to improve their ability to harvest text from word processors, email clients, etc. in a native way. They have… lots of potential.

Anytime they grab that text – it is being translated almost instantly.

Applications of this sort exist for many years. Back in a day though, they would heavily rely on offline dictionaries and translation algorithms that would reside in libraries stored on user’s system. The need to connect to the remote server was minimal (only for updates). Today, most of them are cloud-based – – it is obviously better this way, from a quality perspective: dictionaries are always up to date, no need to transfer large files, users can exchange translations, etc.

The only problem is that in an effort to be as user-friendly as possible, they grab all the possible stuff without much control from the user and send it out.

If you are a ‘lucky’ threat hunter, you will look at your logs and see very rich GET requests. If you are less lucky, only POST and for these you need to collect some PCAPs.

The ‘richest’ translation applications I have seen are these that are sending whole paragraphs, memos, content of emails, email threads, pretty much… everything. Some of them will even include process names for windows the text snapshot was taken from, or additional attributes telling the vendor how the text was grabbed. They actually include lots of metadata in these logs.

Now that I have your attention, my suggestion for your hunting exercise is as follows:

  • Network Logs
    • Look for popular process names in your logs e.g. Outlook, Winword, etc; they may be related to the translation software, or… any other threat (PUA, malware, etc.), so they are good one way or another
    • Look for domains that are related to translation; the following list of initial keywords should help:
      • transl
      • traduct
      • lingv
      • dict
      • thesau
      • spellc
  • Endpoint
    • Look for a presence of translation software
    • Download and install it in VM, test how it works
    • If you see it sending stuff out, assess what sort of data is being included
    • Look for cool functionality: ScreenOCR, ‘follow the window’, etc.

Note: not all of these applications are bad. Many of them ‘behave’, so you don’t need to kill’em all. But monitoring at least — yes, definitely.