Windows Error Reporting Has a Recurring Problem
CVE-2026-20817 is a local privilege escalation vulnerability in the Windows Error Reporting (WER) Service, patched by Microsoft in the January 2026 security update [1][9]. The flaw allows an attacker with an initial foothold on a system to escalate to SYSTEM-level privileges through abuse of the WER service's ALPC (Advanced Local Procedure Call) communication mechanism [2][9]. Affected systems include Windows 10, Windows 11, Windows Server 2019, and Windows Server 2022 [8].
This isn't an isolated incident. WER has been a recurring target for both nation-state and financially motivated threat actors. Black Basta exploited CVE-2024-26169, a separate WER elevation of privilege flaw, as a zero-day before Microsoft released a patch [4][10]. Chinese threat actors have weaponized WerFault.exe for DLL sideloading [7]. Nefilim ransomware operators injected malicious code into wermgr.exe for defense evasion [6]. WER's elevated privileges and ALPC communication mechanism make it a consistent target for privilege escalation, persistence, and evasion.
How CVE-2026-20817 Works
The vulnerability exists in the SvcElevatedLaunch method of the WER service [2]. By default, the WER service exposes an ALPC port named \WindowsErrorReportingServicePort for interprocess communication [2]. This port accepts messages from other processes and performs various operations, including launching elevated processes on behalf of callers.
The core issue is improper handling of insufficient permissions, classified as CWE-280 [9]. An attacker constructs a crafted ALPC message targeting the SvcElevatedLaunch method, creating shared memory containing a malicious command line payload [8]. The WER service processes this request and executes the payload with SYSTEM privileges, because the service itself runs at that privilege level.
The attack chain looks like this:
- Attacker gains local access as a standard user
- Attacker connects to
\WindowsErrorReportingServicePortvia ALPC - Attacker sends a specially crafted message to invoke
SvcElevatedLaunch - The WER service creates shared memory with the attacker-supplied command line [8]
- The service executes the payload as SYSTEM
The two key executables involved are WerFault.exe (the user-facing crash dialog) and WerMgr.exe (the background manager process) [1].
Proof-of-Concept and the Fake PoC Trap
A proof-of-concept exploit for CVE-2026-20817 has been published [8]. This makes weaponization straightforward for anyone with moderate skill.
More concerning: a fake PoC repository appeared on GitHub at https://github.com/oxfemale/CVE-2026-20817, which poses a direct risk to security researchers attempting to analyze the vulnerability [2]. This is a well-known social engineering tactic. Threat actors publish malicious code disguised as legitimate PoC exploits, targeting researchers who clone and execute these repos. Defenders and researchers should treat any CVE-2026-20817 PoC from untrusted sources with extreme suspicion.
As of this writing, CVE-2026-20817 has not been added to the CISA Known Exploited Vulnerabilities catalog, and no confirmed in-the-wild exploitation has been reported [9]. That status is unlikely to last.
The Precedent: Black Basta's Zero-Day Exploitation of CVE-2024-26169
To understand why CVE-2026-20817 demands urgent attention, look at what happened with CVE-2024-26169, the previous WER elevation of privilege vulnerability.
The Black Basta ransomware group exploited CVE-2024-26169 as a zero-day [4][10]. Exploit tools associated with the campaign had a compilation timestamp of February 27, 2024, several weeks before Microsoft released a patch [4]. This means Black Basta had working exploitation capability while the vulnerability was still unpatched.
The CVE-2024-26169 exploit manipulated werkernel.sys to create a registry key at HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WerFault.exe [10][5]. This Image File Execution Options (IFEO) registry key is a classic persistence and hijacking technique: it forces Windows to launch a debugger (in this case, attacker-controlled code) every time WerFault.exe runs. Since WER triggers frequently across normal system operations, this provides reliable persistence.
Black Basta used DarkGate loader for initial access in these campaigns, pivoting to DarkGate after the QakBot takedown disrupted their previous delivery mechanism [4][5]. CVE-2024-26169 was subsequently added to the CISA Known Exploited Vulnerability list [3]. Multiple malware families weaponized the vulnerability, including QakBot, DarkGate Loader, and Black Basta's own tooling [3].
WER as a DLL Sideloading Vehicle
Beyond privilege escalation flaws in the WER service itself, WerFault.exe is a popular target for DLL sideloading attacks.
In a campaign attributed to Chinese threat actors, attackers distributed malicious ISO files containing a shortcut file named inventory & our specialties.lnk [7]. When opened, this shortcut used scriptrunner.exe to execute WerFault.exe, which then loaded a malicious faultrep.dll through a known DLL sideloading flaw [7]. The ISO also contained a decoy file named File.xls to maintain the social engineering pretext [7].
Nefilim ransomware operators took a different approach, using process injection into wermgr.exe for defense evasion and WerFault.exe for DLL sideloading [6]. Because WER processes are signed Microsoft binaries that run frequently, security products often trust them implicitly. This makes them ideal cover for malicious activity.
IOC Table
| Type | Value | Context | Source |
|---|---|---|---|
| Filename | WerFault.exe |
WER process exploited for privilege escalation and DLL sideloading | [1][7] |
| Filename | WerMgr.exe / wermgr.exe |
WER manager process targeted for process injection | [1][6] |
| Filename | werkernel.sys |
Kernel component exploited for registry manipulation | [5] |
| Filename | faultrep.dll |
Legitimate DLL replaced in sideloading attacks | [6][7] |
| Filename | scriptrunner.exe |
Used to execute WerFault.exe in sideloading chain | [7] |
| Filename | inventory & our specialties.lnk |
Malicious shortcut file in ISO-based delivery | [7] |
| Filename | File.xls |
Decoy Excel file included in malicious ISO | [7] |
| URL | https://github.com/oxfemale/CVE-2026-20817 |
Fake PoC repository, likely malicious | [2] |
| Malware | DarkGate Loader | Used for initial access in Black Basta campaigns | [3][4] |
| Malware | QakBot | Previously weaponized CVE-2024-26169 | [3] |
| Malware | Nefilim | Ransomware using WER process injection | [6] |
| Registry Path | HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WerFault.exe |
IFEO key created by CVE-2024-26169 exploit | [5] |
MITRE ATT&CK Mapping
| Technique ID | Name | Relevance |
|---|---|---|
| T1068 | Exploitation for Privilege Escalation | CVE-2026-20817 and CVE-2024-26169 exploitation [1][4] |
| T1574.002 | Hijack Execution Flow: DLL Side-Loading | Malicious faultrep.dll loaded by WerFault.exe [6][7] |
| T1112 | Modify Registry | IFEO registry key creation for persistence [5][10] |
| T1562.001 | Impair Defenses: Disable or Modify Tools | Post-exploitation disabling of security controls [1] |
| T1566.001 | Phishing: Spearphishing Attachment | ISO-based delivery with malicious LNK files [7] |
| T1083 | File and Directory Discovery | Nefilim reconnaissance activity [6] |
Detection and Hunting
WER-related exploitation leaves detectable traces across several telemetry sources.
Process monitoring: Deploy EDR queries looking for WerFault.exe or WerMgr.exe spawns where the process token is SYSTEM but lacks SeTcbPrivilege [1]. This is a strong signal of privilege escalation through the WER service rather than legitimate crash handling.
ALPC monitoring: Watch for unusual connections to \WindowsErrorReportingServicePort. Legitimate callers are typically WerFault.exe and WerMgr.exe. Any other process connecting to this port warrants investigation [2].
Registry monitoring: Alert on creation or modification of keys under HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WerFault.exe. This IFEO technique was central to Black Basta's CVE-2024-26169 exploitation [5][10].
DLL sideloading detection: Monitor for faultrep.dll loads from non-standard paths. The legitimate faultrep.dll lives in %SystemRoot%\System32. Any instance loaded from temp directories, user profiles, or mounted ISOs is malicious [7].
File system monitoring: Watch for anomalous file operations in C:\ProgramData\Microsoft\Windows\WER\ [9]. Unusual file creation patterns in this directory can indicate exploitation attempts.
Sample Splunk query for IFEO abuse:
index=sysmon EventCode=13 TargetObject="*\\Image File Execution Options\\WerFault.exe*"
| table _time, Computer, User, TargetObject, DetailsAnalysis
The WER service sits in an awkward security position. It needs SYSTEM privileges to collect crash data from any process on the system. It needs to accept input from user-mode processes via ALPC. And it needs to launch elevated processes for certain crash handling operations. Every one of these design requirements creates attack surface.
Three distinct vulnerability classes have now been exploited through WER: ALPC-based privilege escalation (CVE-2026-20817), kernel driver manipulation for registry abuse (CVE-2024-26169), and DLL sideloading through trusted binaries (WerFault.exe). These aren't variations on one theme. They represent fundamentally different attack vectors against the same service.
Black Basta's zero-day exploitation of CVE-2024-26169 confirms that sophisticated ransomware operators actively develop and stockpile WER exploits [4]. The compilation timestamp evidence, showing exploit tools built weeks before the patch, indicates dedicated vulnerability research capability within or available to the group.
The absence of confirmed in-the-wild exploitation for CVE-2026-20817 should not be mistaken for safety. The PoC is public [8], the attack surface is well-understood, and the same class of attacker that burned CVE-2024-26169 as a zero-day is actively looking for the next WER vulnerability to exploit.
Red Sheep Assessment
Confidence: Moderate-High
WER has become a serial offender in the Windows privilege escalation space. Three distinct exploitation patterns, none requiring particularly sophisticated tooling, all leading to SYSTEM. Microsoft's patches address individual vulnerabilities, but the architectural problem persists: a SYSTEM-privileged service that accepts unauthenticated ALPC messages and performs elevated operations on behalf of callers.
The fake PoC repository for CVE-2026-20817 [2] is notable. It appeared quickly after disclosure, suggesting threat actors are pre-positioning to compromise researchers and red teamers who will be among the first to analyze the vulnerability. This is a supply chain attack on the offensive security community itself.
A contrarian read: organizations that have disabled WER entirely (which is common in hardened environments) are already protected against these specific exploitation vectors. The practical impact may be concentrated in enterprise environments running default configurations, exactly the environments where Black Basta and similar groups operate. The population of vulnerable systems is likely large, but the population of systems where WER is both enabled and exposed to untrusted users is the real attack surface that matters.
We assess with moderate-high confidence that CVE-2026-20817 will be exploited in the wild within 90 days. The PoC availability, the proven attacker interest in WER vulnerabilities, and the straightforward exploitation path all point in the same direction.
Defender's Checklist
- ▢[ ] Apply the January 2026 Microsoft security update addressing CVE-2026-20817 on all Windows 10, 11, Server 2019, and Server 2022 systems [8][9]
- ▢[ ] Hunt for IFEO persistence at
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WerFault.exeusing Sysmon EventCode 13 or equivalent registry monitoring [5] - ▢[ ] Deploy EDR detection for
WerFault.exeorWerMgr.exerunning as SYSTEM withoutSeTcbPrivilege, per query guidance from source [1] - ▢[ ] Audit
faultrep.dllload paths across the environment. Flag any instance loaded from outside%SystemRoot%\System32as a sideloading indicator [7] - ▢[ ] Evaluate disabling WER on high-value targets (domain controllers, jump servers, security infrastructure) where crash telemetry is not operationally required. Use Group Policy:
Computer Configuration > Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting
References
[1] https://malwaretips.com/threads/windows-error-reporting-flaw-allows-attackers-to-elevate-privileges.139596/
[2] https://itm4n.github.io/cve-2026-20817-wersvc-eop/
[3] https://feedly.com/cve/CVE-2024-26169
[4] https://www.security.com/threat-intelligence/black-basta-ransomware-zero-day
[5] https://www.purevpn.com/blog/news/ransomware-group-black-basta-linked-to-zero-day-attacks-on-windows/
[6] https://www.picussecurity.com/resource/blog/how-to-beat-nefilim-ransomware-attacks
[7] https://www.bleepingcomputer.com/news/security/hackers-abuse-windows-error-reporting-tool-to-deploy-malware/
[8] https://cyberpress.org/poc-exploit-released-for-microsoft-windows/
[9] https://www.sentinelone.com/vulnerability-database/cve-2026-20817/
[10] https://www.rescana.com/post/cve-2024-26169-active-exploitation-of-windows-elevation-of-privilege-flaw
Visual Intelligence
Timeline (1 events)
Entity Graph (7 entities, 15 relationships)
Diamond Model
---
Hunt Guide: Hunt Report: Windows Error Reporting (WER) Privilege Escalation Campaign
Hypothesis: If threat actors are exploiting WER vulnerabilities (CVE-2026-20817/CVE-2024-26169) in our environment, we expect to observe anomalous WER process execution with SYSTEM privileges, ALPC connections to WindowsErrorReportingServicePort, and registry modifications under Image File Execution Options.
Intelligence Summary: CVE-2026-20817 is a local privilege escalation vulnerability in Windows Error Reporting Service that allows attackers to escalate to SYSTEM privileges via crafted ALPC messages. This follows a pattern of WER exploitation including Black Basta's zero-day use of CVE-2024-26169 and ongoing DLL sideloading attacks targeting WerFault.exe.
Confidence: High | Priority: Critical
Scope
- Networks: All Windows 10/11 endpoints, Windows Server 2019/2022 infrastructure, with priority on systems running default WER configurations
- Timeframe: Initial: 30 days retrospective, Ongoing: Real-time monitoring with 7-day retention for correlation
- Priority Systems: Domain controllers, privileged access workstations, security infrastructure (SIEM/EDR servers), external-facing Windows servers
MITRE ATT&CK Techniques
T1068 — Exploitation for Privilege Escalation (Privilege Escalation) [P1]
Attackers exploit WER service vulnerabilities (CVE-2026-20817, CVE-2024-26169) to escalate from standard user to SYSTEM privileges through ALPC message manipulation
Splunk SPL:
index=* (sourcetype=WinEventLog:Security EventCode=4688 OR sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=1) (New_Process_Name="*\\WerFault.exe" OR New_Process_Name="*\\WerMgr.exe" OR New_Process_Name="*\\wermgr.exe") TokenElevationType=1937 | eval has_tcb=if(match(Privileges, "SeTcbPrivilege"), "Yes", "No") | where has_tcb="No" | table _time Computer User New_Process_Name Parent_Process_Name TokenElevationType PrivilegesElastic KQL:
(event.code:4688 OR event.code:1) AND (process.name:"WerFault.exe" OR process.name:"WerMgr.exe" OR process.name:"wermgr.exe") AND winlog.event_data.TokenElevationType:"%%1937" AND NOT winlog.event_data.PrivilegeList:*SeTcbPrivilege*Sigma Rule:
title: WER Process Running as SYSTEM Without TCB Privilege
id: 8a7e90c5-fe34-4ce7-bb88-30d9bb75669f
status: experimental
description: Detects WER processes running with SYSTEM privileges but lacking SeTcbPrivilege, indicating potential exploitation
references:
- https://malwaretips.com/threads/windows-error-reporting-flaw-allows-attackers-to-elevate-privileges.139596/
author: PEAK Hunt Team
date: 2024/01/15
tags:
- attack.privilege_escalation
- attack.t1068
- cve.2026.20817
- cve.2024.26169
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\WerFault.exe'
- '\WerMgr.exe'
- '\wermgr.exe'
IntegrityLevel: 'System'
filter:
PrivilegeList|contains: 'SeTcbPrivilege'
condition: selection and not filter
falsepositives:
- Legitimate crash handling may occasionally lack TCB privilege
level: highMonitor for false positives during system updates or crash dumps. Correlate with ALPC monitoring for confirmation.
T1574.002 — Hijack Execution Flow: DLL Side-Loading (Persistence) [P1]
Threat actors abuse WerFault.exe to sideload malicious faultrep.dll from non-standard locations for persistence and defense evasion
Splunk SPL:
index=* sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=7 Image="*\\WerFault.exe" ImageLoaded="*faultrep.dll" NOT ImageLoaded="C:\\Windows\\System32\\faultrep.dll" | table _time Computer Image ImageLoaded Signed SignatureStatusElastic KQL:
event.code:7 AND process.name:"WerFault.exe" AND file.name:"faultrep.dll" AND NOT file.path:"C:\\Windows\\System32\\faultrep.dll"Sigma Rule:
title: Suspicious faultrep.dll Load from Non-Standard Path
id: 5e8a8f45-8cd2-4789-a84f-08dbb28f53ba
status: experimental
description: Detects faultrep.dll being loaded from outside System32, indicating DLL sideloading attack
references:
- https://www.bleepingcomputer.com/news/security/hackers-abuse-windows-error-reporting-tool-to-deploy-malware/
author: PEAK Hunt Team
date: 2024/01/15
tags:
- attack.persistence
- attack.t1574.002
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith: '\WerFault.exe'
ImageLoaded|endswith: 'faultrep.dll'
filter:
ImageLoaded: 'C:\Windows\System32\faultrep.dll'
condition: selection and not filter
falsepositives:
- None expected
level: criticalHigh-fidelity detection. Any faultrep.dll load from non-System32 paths is malicious.
T1112 — Modify Registry (Defense Evasion) [P1]
Attackers create Image File Execution Options (IFEO) registry keys for WerFault.exe to establish persistence and hijack execution
Splunk SPL:
index=* (sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode IN (12,13,14) OR sourcetype=WinEventLog:Security EventCode=4657) TargetObject="*\\Image File Execution Options\\WerFault.exe*" | table _time Computer User EventCode TargetObject Details EventTypeElastic KQL:
(event.code:12 OR event.code:13 OR event.code:14 OR event.code:4657) AND registry.path:*"\\Image File Execution Options\\WerFault.exe"*Sigma Rule:
title: IFEO Registry Key Creation for WerFault.exe
id: 7b4f5c85-2e91-4d7f-ae5d-17bb8c5e4321
status: experimental
description: Detects creation or modification of Image File Execution Options keys for WerFault.exe
references:
- https://www.purevpn.com/blog/news/ransomware-group-black-basta-linked-to-zero-day-attacks-on-windows/
author: PEAK Hunt Team
date: 2024/01/15
tags:
- attack.persistence
- attack.t1112
- attack.defense_evasion
logsource:
category: registry_event
product: windows
detection:
selection:
TargetObject|contains: '\Image File Execution Options\WerFault.exe'
EventType:
- CreateKey
- SetValue
condition: selection
falsepositives:
- Legitimate debugging tools
- Security software configuration
level: highInvestigate any IFEO debugger value set for WerFault.exe. Cross-reference with process creation events.
T1055 — Process Injection (Defense Evasion) [P2]
Nefilim ransomware and other threats inject malicious code into wermgr.exe for defense evasion
Splunk SPL:
index=* sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=10 TargetImage="*\\wermgr.exe" GrantedAccess IN ("0x1F0FFF", "0x1FFFFF", "0x1010", "0x1438") NOT SourceImage IN ("*\\WerFault.exe", "*\\svchost.exe", "*\\csrss.exe") | table _time Computer SourceImage TargetImage GrantedAccess CallTraceElastic KQL:
event.code:10 AND process.target.name:"wermgr.exe" AND winlog.event_data.GrantedAccess:("0x1F0FFF" OR "0x1FFFFF" OR "0x1010" OR "0x1438") AND NOT process.name:("WerFault.exe" OR "svchost.exe" OR "csrss.exe")Monitor for PROCESS_ALL_ACCESS (0x1F0FFF) or PROCESS_VM_WRITE (0x0020) access to wermgr.exe from unexpected sources.
T1134 — Access Token Manipulation (Privilege Escalation) [P2]
Monitoring for anomalous ALPC connections to WindowsErrorReportingServicePort that may indicate exploitation attempts
Splunk SPL:
index=* sourcetype=etw_rpc AlpcPortName="\\WindowsErrorReportingServicePort" NOT (ProcessName="WerFault.exe" OR ProcessName="WerMgr.exe" OR ProcessName="svchost.exe") | stats count by _time ProcessName ProcessId AlpcPortName | where count > 5Elastic KQL:
event.provider:"Microsoft-Windows-RPC" AND rpc.alpc_port:"\\WindowsErrorReportingServicePort" AND NOT process.name:("WerFault.exe" OR "WerMgr.exe" OR "svchost.exe")Requires ETW RPC provider or custom ALPC monitoring. High-value detection for active exploitation.
Indicators of Compromise
| Type | Value | Context |
|---|---|---|
| filename | WerFault.exe |
Windows Error Reporting process exploited for privilege escalation and DLL sideloading |
| filename | WerMgr.exe |
WER manager process targeted for privilege escalation |
| filename | wermgr.exe |
WER manager process (lowercase variant) targeted for process injection by Nefilim |
| filename | werkernel.sys |
Kernel component exploited by Black Basta for registry manipulation in CVE-2024-26169 |
| filename | faultrep.dll |
Legitimate DLL replaced in sideloading attacks via WerFault.exe |
| filename | scriptrunner.exe |
Used to execute WerFault.exe in Chinese actor DLL sideloading chain |
| filename | inventory & our specialties.lnk |
Malicious shortcut file in ISO-based delivery for WER DLL sideloading |
| filename | File.xls |
Decoy Excel file included in malicious ISO for WER sideloading attacks |
| url | https://github.com/oxfemale/CVE-2026-20817 |
Fake PoC repository for CVE-2026-20817, likely contains malware targeting security researchers |
| registry | HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WerFault.exe |
IFEO registry key created by CVE-2024-26169 exploit for persistence |
IOC Sweep Queries (Splunk):
index=* (sourcetype=WinEventLog:Security EventCode=4688 OR sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=1) (New_Process_Name="*\\WerFault.exe" OR Image="*\\WerFault.exe") | stats count by Computer New_Process_Name Parent_Process_Name Userindex=* (sourcetype=WinEventLog:Security EventCode=4688 OR sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=1) (New_Process_Name="*\\WerMgr.exe" OR Image="*\\WerMgr.exe") | stats count by Computer New_Process_Name Parent_Process_Name Userindex=* (sourcetype=WinEventLog:Security EventCode=4688 OR sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=1) (New_Process_Name="*\\wermgr.exe" OR Image="*\\wermgr.exe") | stats count by Computer New_Process_Name Parent_Process_Name Userindex=* (sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=6) ImageLoaded="*werkernel.sys" | table _time Computer ImageLoaded Signed SignatureStatusindex=* sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=7 ImageLoaded="*faultrep.dll" NOT ImageLoaded="C:\\Windows\\System32\\faultrep.dll" | table _time Computer Image ImageLoadedindex=* (sourcetype=WinEventLog:Security EventCode=4688 OR sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=1) (New_Process_Name="*\\scriptrunner.exe" OR Image="*\\scriptrunner.exe") | transaction Computer Parent_Process_ID maxspan=30s | search "WerFault.exe"index=* (sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=11) TargetFilename="*inventory & our specialties.lnk" | table _time Computer User TargetFilenameindex=* (sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=11) TargetFilename="*File.xls" | transaction Computer User maxspan=5m | search "*.iso"index=* (sourcetype=proxy OR sourcetype=dns) ("github.com/oxfemale/CVE-2026-20817" OR "oxfemale/CVE-2026-20817") | table _time src_ip user uri dns_queryindex=* sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=13 TargetObject="HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\WerFault.exe*" | table _time Computer User TargetObject Details EventTypeYARA Rules
WER_DLL_Sideloading_Faultrep — Detects potentially malicious faultrep.dll files used in WER sideloading attacks
rule WER_DLL_Sideloading_Faultrep {
meta:
description = "Detects suspicious faultrep.dll used in WER sideloading attacks"
author = "PEAK Hunt Team"
date = "2024-01-15"
reference = "https://www.bleepingcomputer.com/news/security/hackers-abuse-windows-error-reporting-tool-to-deploy-malware/"
strings:
$legit1 = "faultrep.dll" ascii wide
$legit2 = "Microsoft Corporation" ascii wide
$legit3 = "Windows Fault Reporting DLL" ascii wide
$sus1 = "inventory & our specialties" ascii wide
$sus2 = "scriptrunner.exe" ascii wide
$sus3 = "File.xls" ascii wide
$export1 = "ReportFault" ascii
$export2 = "WerReportCreate" ascii
condition:
uint16(0) == 0x5A4D and
$legit1 and
(not $legit2 or not $legit3) and
(any of ($sus*) or (not $export1 and not $export2))
}CVE_2026_20817_Exploit_Artifacts — Detects artifacts associated with CVE-2026-20817 exploitation
rule CVE_2026_20817_Exploit_Artifacts {
meta:
description = "Detects artifacts from CVE-2026-20817 WER privilege escalation exploits"
author = "PEAK Hunt Team"
date = "2024-01-15"
cve = "CVE-2026-20817"
strings:
$alpc1 = "\\WindowsErrorReportingServicePort" ascii wide
$alpc2 = "SvcElevatedLaunch" ascii wide
$alpc3 = "AlpcConnectPort" ascii
$alpc4 = "NtAlpcSendWaitReceivePort" ascii
$wer1 = "WerFault.exe" ascii wide nocase
$wer2 = "WerMgr.exe" ascii wide nocase
$priv1 = "SeDebugPrivilege" ascii
$priv2 = "SeTcbPrivilege" ascii
$priv3 = "AdjustTokenPrivileges" ascii
condition:
uint16(0) == 0x5A4D and
2 of ($alpc*) and
any of ($wer*) and
2 of ($priv*)
}Suricata Rules
SID 2024081701 — Detects potential access to fake CVE-2026-20817 PoC repository
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Potential Access to Fake CVE-2026-20817 PoC Repository"; flow:established,to_server; content:"GET"; http_method; content:"github.com"; http_host; content:"/oxfemale/CVE-2026-20817"; http_uri; fast_pattern; reference:url,itm4n.github.io/cve-2026-20817-wersvc-eop/; classtype:trojan-activity; sid:2024081701; rev:1;)SID 2024081702 — Detects HTTP traffic with WER-related exploitation artifacts
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Potential WER Exploitation Payload Delivery"; flow:established,to_client; content:"200"; http_stat_code; file_data; content:"WindowsErrorReportingServicePort"; fast_pattern; content:"SvcElevatedLaunch"; distance:0; content:"WerFault.exe"; distance:0; reference:cve,2026-20817; classtype:attempted-admin; sid:2024081702; rev:1;)Data Source Requirements
| Source | Required For | Notes |
|---|---|---|
| Sysmon | T1068, T1574.002, T1112, T1055 | EventID 1 (Process Create), EventID 7 (Image Load), EventID 8 (CreateRemoteThread), EventID 10 (ProcessAccess), EventID 12/13/14 (Registry) |
| Windows Security | T1068, T1112 | EventID 4688 (Process Creation with command line), EventID 4657 (Registry auditing), EventID 4663 (Object access) |
| ETW Microsoft-Windows-RPC | T1134 | Required for ALPC port monitoring. Enable via WPA/WPR or custom ETW consumer |
| EDR Telemetry | T1068, T1574.002, T1055, T1134 | Process token information, DLL load events, ALPC activity, API call monitoring |
| Proxy Logs | T1566.001 | Monitor for access to malicious GitHub repositories and exploit kit infrastructure |
Sources
- Windows Error Reporting Flaw Allows Attackers to Elevate Privileges
- CVE-2026-20817 - Windows Error Reporting Service EoP
- CVE-2024-26169 - Feedly
- Black Basta Ransomware Zero-Day
- Ransomware Group Black Basta Linked to Zero-Day Attacks on Windows
- How to Beat Nefilim Ransomware Attacks
- Hackers Abuse Windows Error Reporting Tool to Deploy Malware
- PoC Exploit Released for Microsoft Windows
- CVE-2026-20817 - SentinelOne Vulnerability Database
- CVE-2024-26169: Active Exploitation of Windows Elevation of Privilege Flaw