Wermgr.exe spawning without command line arguments
Wermgr.exe should not spawn without any command line arguments. Sometimes malware are using process injection to masquerade their malicious activities and evade detection.
Sigma rule (View on GitHub)
1title: Wermgr.exe spawning without command line arguments
2id: 735e43b1-8533-4b37-91a6-5bf89a671884
3description: Wermgr.exe should not spawn without any command line arguments. Sometimes malware are using process injection to masquerade their malicious activities and evade detection.
4references:
5 - https://x.com/Kostastsale/status/1570178125400776705
6status: experimental
7date: 2022/09/14
8author: '@kostastsale'
9logsource:
10 category: process_creation
11 product: windows
12detection:
13 selection1:
14 Image|endswith:
15 - '\wermgr.exe'
16 CommandLine|endswith:
17 - '\wermgr.exe'
18 condition: selection1
19falsepositives:
20 - Unlikely
21level: high
22tags:
23 - attack.Defense Evasion
24 - attack.T1218
References
Related rules
- CMSTP installation of malicious code
- Dumpbin LOLBin use for proxying execution via link.exe
- MSTeams exe side-loading - Update.exe
- VSDiagnostics used for proxying execution malicious binaries