Wrmgr.exe spawning without command line arguments
Wrmgr.exe should not spawn without any command line arguments. Sometimes malware are using process injection to masquerade their malicious activities and evade detection.
Sigma rule (View on GitHub)
1title: Wrmgr.exe spawning without command line arguments
2description: Wrmgr.exe should not spawn without any command line arguments. Sometimes malware are using process injection to masquerade their malicious activities and evade detection.
3status: experimental
4date: 2022/09/14
5author: \@kostastsale
6logsource:
7 category: process_creation
8 product: windows
9detection:
10 selection1:
11 Image|endswith:
12 - '\wermgr.exe'
13 CommandLine|endswith:
14 - '\wermgr.exe'
15 condition: selection1
16falsepositives:
17 - Unlikely
18level: high
19tags:
20 - attack.Defense Evasion
21 - attack.T1218