Suspicious WERMGR Process Patterns
Detects suspicious Windows Error Reporting manager (wermgr.exe) process patterns - suspicious parents / children, execution folders, command lines etc.
Sigma rule (View on GitHub)
1title: Suspicious WERMGR Process Patterns
2id: 396f6630-f3ac-44e3-bfc8-1b161bc00c4e
3status: experimental
4description: Detects suspicious Windows Error Reporting manager (wermgr.exe) process patterns - suspicious parents / children, execution folders, command lines etc.
5references:
6 - https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html
7 - https://www.echotrail.io/insights/search/wermgr.exe
8 - https://github.com/binderlabs/DirCreate2System
9author: Florian Roth (Nextron Systems)
10date: 2022/10/14
11modified: 2023/02/06
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection_susp_parent:
17 ParentImage|endswith: '\wermgr.exe'
18 Image|endswith:
19 - '\nslookup.exe'
20 - '\ipconfig.exe'
21 - '\net.exe'
22 - '\net1.exe'
23 - '\whoami.exe'
24 - '\netstat.exe'
25 - '\systeminfo.exe'
26 - '\cmd.exe'
27 - '\powershell.exe'
28 selection_img:
29 Image|endswith: '\wermgr.exe'
30 filter_img_location:
31 Image|startswith:
32 - 'C:\Windows\System32\'
33 - 'C:\Windows\SysWOW64\'
34 - 'C:\Windows\WinSxS\'
35 condition: 1 of selection_susp* or (selection_img and not filter_img_location)
36falsepositives:
37 - Unknown
38level: high