Suspicious Child Process Of Wermgr.EXE
Detects suspicious Windows Error Reporting manager (wermgr.exe) child process
Sigma rule (View on GitHub)
1title: Suspicious Child Process Of Wermgr.EXE
2id: 396f6630-f3ac-44e3-bfc8-1b161bc00c4e
3related:
4 - id: 5394fcc7-aeb2-43b5-9a09-cac9fc5edcd5
5 type: similar
6status: experimental
7description: Detects suspicious Windows Error Reporting manager (wermgr.exe) child process
8references:
9 - https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html
10 - https://www.echotrail.io/insights/search/wermgr.exe
11 - https://github.com/binderlabs/DirCreate2System
12author: Florian Roth (Nextron Systems)
13date: 2022/10/14
14modified: 2023/08/23
15tags:
16 - attack.defense_evasion
17 - attack.privilege_escalation
18 - attack.t1055
19 - attack.t1036
20logsource:
21 category: process_creation
22 product: windows
23detection:
24 selection:
25 ParentImage|endswith: '\wermgr.exe'
26 Image|endswith:
27 - '\cmd.exe'
28 - '\cscript.exe'
29 - '\ipconfig.exe'
30 - '\mshta.exe'
31 - '\net.exe'
32 - '\net1.exe'
33 - '\netstat.exe'
34 - '\nslookup.exe'
35 - '\powershell_ise.exe'
36 - '\powershell.exe'
37 - '\pwsh.exe'
38 - '\regsvr32.exe'
39 - '\rundll32.exe'
40 - '\systeminfo.exe'
41 - '\whoami.exe'
42 - '\wscript.exe'
43 condition: selection
44falsepositives:
45 - Unknown
46level: high
References
-
We analyzed a QAKBOT-related case leading to a Brute Ratel C4 and Cobalt Strike payload that can be attributed to the threat actors behind the Black Basta ransomware.
Read More -
Weaponizing to get NT SYSTEM for Privileged Directory Creation Bugs with Windows Error Reporting - binderlabs/DirCreate2System
Read More
Related rules
- CobaltStrike Named Pipe
- CobaltStrike Named Pipe Pattern Regex
- APT PRIVATELOG Image Load Pattern
- Potential Dridex Activity
- Interactive Bash Suspicious Children