Wrmgr.exe spawning without command line arguments

Sep 14, 2022 · attack.Defense Evasion attack.T1218 ·

Wrmgr.exe should not spawn without any command line arguments. Sometimes malware are using process injection to masquerade their malicious activities and evade detection.

Sigma rule (View on GitHub)

 1title: Wrmgr.exe spawning without command line arguments
 2description: Wrmgr.exe should not spawn without any command line arguments. Sometimes malware are using process injection to masquerade their malicious activities and evade detection.
 3status: experimental
 4date: 2022/09/14
 5author: \@kostastsale
 6logsource:
 7    category: process_creation
 8    product: windows
 9detection:
10    selection1:
11        Image|endswith:
12            - '\wermgr.exe'
13        CommandLine|endswith:
14            - '\wermgr.exe'
15    condition: selection1
16falsepositives:
17    - Unlikely
18level: high
19tags:
20    - attack.Defense Evasion
21    - attack.T1218

Related rules

Dumpbin LOLBin use for proxying execution via link.exe
MSTeams exe side-loading - Update.exe