Crashing applications may indicate adversarial attempts to destabilize systems by triggering unexpected process terminations. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential exploitation of application vulnerabilities or malicious process injection tactics.
KQL Query
DeviceProcessEvents
| where Timestamp > ago(1d)
| where FileName =~ 'werfault.exe'
| project CrashTime = Timestamp, DeviceId, WerFaultCommand = ProcessCommandLine, CrashProcessId = extract("-p ([0-9]{1,5})", 1, ProcessCommandLine)
| join kind= inner hint.strategy=shuffle DeviceProcessEvents on DeviceId
| where CrashProcessId == ProcessId and Timestamp between (datetime_add('day',-1,CrashTime) .. CrashTime)
| project-away ActionType
| project-rename ProcessStartTimestamp = Timestamp
id: 53b250f6-c684-4932-aca9-a06045a962d6
name: Crashing Applications
description: |
This query identifies crashing processes based on parameters passed
to werfault.exe and attempts to find the associated process launch
from DeviceProcessEvents.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics:
- Execution
- Misconfiguration
query: |
DeviceProcessEvents
| where Timestamp > ago(1d)
| where FileName =~ 'werfault.exe'
| project CrashTime = Timestamp, DeviceId, WerFaultCommand = ProcessCommandLine, CrashProcessId = extract("-p ([0-9]{1,5})", 1, ProcessCommandLine)
| join kind= inner hint.strategy=shuffle DeviceProcessEvents on DeviceId
| where CrashProcessId == ProcessId and Timestamp between (datetime_add('day',-1,CrashTime) .. CrashTime)
| project-away ActionType
| project-rename ProcessStartTimestamp = Timestamp
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: Windows Update or System File Checker (SFC) execution
Description: Werfault.exe is invoked as part of Windows Update or System File Checker (SFC) operations, which can cause temporary application crashes during system maintenance.
Filter/Exclusion: Exclude processes where the parent process is svchost.exe or wuauserv.exe, or where the command line includes sfc or wuau.
Scenario: Scheduled Job Running a Legacy Application
Description: A scheduled job runs an outdated or incompatible application that crashes upon launch, triggering werfault.exe.
Filter/Exclusion: Exclude events where the process is launched by a scheduled task with a known name (e.g., TaskScheduler), and filter by the task name or user context.
Scenario: Antivirus or Endpoint Protection Scan
Description: Antivirus or endpoint protection software may trigger werfault.exe when scanning or quarantining files, causing temporary application crashes.
Filter/Exclusion: Exclude processes where the parent process is mpsvc.exe (Microsoft Defender), avgnt.exe, or similar antivirus processes.
Scenario: Microsoft Office Application Crash During Save/Export
Description: A user may experience a crash in Microsoft Word or Excel when saving a document, which can be misinterpreted as a system-level crash.
Filter/Exclusion: Exclude processes where the executable is WINWORD.EXE, EXCEL.EXE, or similar Microsoft Office applications, and filter by the application name.
Scenario: PowerShell Script or Command-Line Tool Crash
Description: A PowerShell script or command-line tool may crash unexpectedly, leading to werfault.exe being invoked.
Filter/Exclusion: Exclude events where the process is launched via powershell.exe or cmd.exe, and filter by the script path or command