Suspicious WERMGR Process Patterns

Detects suspicious Windows Error Reporting manager (wermgr.exe) process patterns - suspicious parents / children, execution folders, command lines etc.

Sigma rule (View on GitHub)

 1title: Suspicious WERMGR Process Patterns
 2id: 396f6630-f3ac-44e3-bfc8-1b161bc00c4e
 3status: experimental
 4description: Detects suspicious Windows Error Reporting manager (wermgr.exe) process patterns - suspicious parents / children, execution folders, command lines etc.
 5references:
 6    - https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html
 7    - https://www.echotrail.io/insights/search/wermgr.exe
 8    - https://github.com/binderlabs/DirCreate2System
 9author: Florian Roth (Nextron Systems)
10date: 2022/10/14
11modified: 2023/02/06
12logsource:
13    category: process_creation
14    product: windows
15detection:
16    selection_susp_parent:
17        ParentImage|endswith: '\wermgr.exe'
18        Image|endswith:
19            - '\nslookup.exe'
20            - '\ipconfig.exe'
21            - '\net.exe'
22            - '\net1.exe'
23            - '\whoami.exe'
24            - '\netstat.exe'
25            - '\systeminfo.exe'
26            - '\cmd.exe'
27            - '\powershell.exe'
28    selection_img:
29        Image|endswith: '\wermgr.exe'
30    filter_img_location:
31        Image|startswith:
32            - 'C:\Windows\System32\'
33            - 'C:\Windows\SysWOW64\'
34            - 'C:\Windows\WinSxS\'
35    condition: 1 of selection_susp* or (selection_img and not filter_img_location)
36falsepositives:
37    - Unknown
38level: high
to-top