Suspicious Child Process Of Wermgr.EXE

 1title: Suspicious Child Process Of Wermgr.EXE
 2id: 396f6630-f3ac-44e3-bfc8-1b161bc00c4e
 3related:
 4    - id: 5394fcc7-aeb2-43b5-9a09-cac9fc5edcd5
 5      type: similar
 6status: experimental
 7description: Detects suspicious Windows Error Reporting manager (wermgr.exe) child process
 8references:
 9    - https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html
10    - https://www.echotrail.io/insights/search/wermgr.exe
11    - https://github.com/binderlabs/DirCreate2System
12author: Florian Roth (Nextron Systems)
13date: 2022-10-14
14modified: 2024-08-29
15tags:
16    - attack.defense-evasion
17    - attack.privilege-escalation
18    - attack.t1055
19    - attack.t1036
20logsource:
21    category: process_creation
22    product: windows
23detection:
24    selection:
25        ParentImage|endswith: '\wermgr.exe'
26        Image|endswith:
27            - '\cmd.exe'
28            - '\cscript.exe'
29            - '\ipconfig.exe'
30            - '\mshta.exe'
31            - '\net.exe'
32            - '\net1.exe'
33            - '\netstat.exe'
34            - '\nslookup.exe'
35            - '\powershell_ise.exe'
36            - '\powershell.exe'
37            - '\pwsh.exe'
38            - '\regsvr32.exe'
39            - '\rundll32.exe'
40            - '\systeminfo.exe'
41            - '\whoami.exe'
42            - '\wscript.exe'
43    filter_main_rundll32:
44        Image|endswith: '\rundll32.exe'
45        CommandLine|contains|all:
46            - 'C:\Windows\system32\WerConCpl.dll'
47            - 'LaunchErcApp '
48        CommandLine|contains:
49            - '-queuereporting'
50            - '-responsepester'
51    condition: selection and not 1 of filter_main_*
52falsepositives:
53    - Unknown
54level: high

References

• Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike

  

  We analyzed a QAKBOT-related case leading to a Brute Ratel C4 and Cobalt Strike payload that can be attributed to the threat actors behind the Black Basta ransomware.

  
  Read More

• EchoTrail

  

  Endpoint log security platform.

  
  Read More

• GitHub - binderlabs/DirCreate2System: Weaponizing to get NT SYSTEM for Privileged Directory Creation Bugs with Windows Error Reporting

  

  Weaponizing to get NT SYSTEM for Privileged Directory Creation Bugs with Windows Error Reporting - binderlabs/DirCreate2System

  
  Read More

Related rules

• APT PRIVATELOG Image Load Pattern
• CobaltStrike Named Pipe
• CobaltStrike Named Pipe Pattern Regex
• CobaltStrike Named Pipe Patterns
• HackTool - CoercedPotato Execution