Suspicious Execution Location Of Wermgr.EXE

Detects suspicious Windows Error Reporting manager (wermgr.exe) execution location.

Sigma rule (View on GitHub)

 1title: Suspicious Execution Location Of Wermgr.EXE
 2id: 5394fcc7-aeb2-43b5-9a09-cac9fc5edcd5
 3related:
 4    - id: 396f6630-f3ac-44e3-bfc8-1b161bc00c4e
 5      type: similar
 6status: test
 7description: Detects suspicious Windows Error Reporting manager (wermgr.exe) execution location.
 8references:
 9    - https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html
10    - https://www.echotrail.io/insights/search/wermgr.exe
11    - https://github.com/binderlabs/DirCreate2System
12author: Florian Roth (Nextron Systems)
13date: 2022-10-14
14modified: 2023-08-23
15tags:
16    - attack.execution
17logsource:
18    category: process_creation
19    product: windows
20detection:
21    selection:
22        Image|endswith: '\wermgr.exe'
23    filter_main_legit_location:
24        Image|startswith:
25            - 'C:\Windows\System32\'
26            - 'C:\Windows\SysWOW64\'
27            - 'C:\Windows\WinSxS\'
28    condition: selection and not 1 of filter_main_*
29falsepositives:
30    - Unknown
31level: high

References

Related rules

to-top