← Back to SOC feed Coverage →

Suspicious Child Process Of Wermgr.EXE

sigma HIGH SigmaHQ
T1055T1036
imProcessCreate
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-23T23:00:00Z · Confidence: medium

Hunt Hypothesis

Detects suspicious Windows Error Reporting manager (wermgr.exe) child process

Detection Rule

Sigma (Original)

title: Suspicious Child Process Of Wermgr.EXE
id: 396f6630-f3ac-44e3-bfc8-1b161bc00c4e
related:
    - id: 5394fcc7-aeb2-43b5-9a09-cac9fc5edcd5
      type: similar
status: test
description: Detects suspicious Windows Error Reporting manager (wermgr.exe) child process
references:
    - https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html
    - https://www.echotrail.io/insights/search/wermgr.exe
    - https://github.com/binderlabs/DirCreate2System
author: Florian Roth (Nextron Systems)
date: 2022-10-14
modified: 2024-08-29
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1055
    - attack.t1036
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\wermgr.exe'
        Image|endswith:
            - '\cmd.exe'
            - '\cscript.exe'
            - '\ipconfig.exe'
            - '\mshta.exe'
            - '\net.exe'
            - '\net1.exe'
            - '\netstat.exe'
            - '\nslookup.exe'
            - '\powershell_ise.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\regsvr32.exe'
            - '\rundll32.exe'
            - '\systeminfo.exe'
            - '\whoami.exe'
            - '\wscript.exe'
    filter_main_rundll32:
        Image|endswith: '\rundll32.exe'
        CommandLine|contains|all:
            - 'C:\Windows\system32\WerConCpl.dll'
            - 'LaunchErcApp '
        CommandLine|contains:
            - '-queuereporting'
            - '-responsepester'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high

KQL (Azure Sentinel)

imProcessCreate
| where ((ParentProcessName endswith "\\wermgr.exe" or ActingProcessName endswith "\\wermgr.exe") and (TargetProcessName endswith "\\cmd.exe" or TargetProcessName endswith "\\cscript.exe" or TargetProcessName endswith "\\ipconfig.exe" or TargetProcessName endswith "\\mshta.exe" or TargetProcessName endswith "\\net.exe" or TargetProcessName endswith "\\net1.exe" or TargetProcessName endswith "\\netstat.exe" or TargetProcessName endswith "\\nslookup.exe" or TargetProcessName endswith "\\powershell_ise.exe" or TargetProcessName endswith "\\powershell.exe" or TargetProcessName endswith "\\pwsh.exe" or TargetProcessName endswith "\\regsvr32.exe" or TargetProcessName endswith "\\rundll32.exe" or TargetProcessName endswith "\\systeminfo.exe" or TargetProcessName endswith "\\whoami.exe" or TargetProcessName endswith "\\wscript.exe")) and (not((TargetProcessName endswith "\\rundll32.exe" and (TargetProcessCommandLine contains "C:\\Windows\\system32\\WerConCpl.dll" and TargetProcessCommandLine contains "LaunchErcApp ") and (TargetProcessCommandLine contains "-queuereporting" or TargetProcessCommandLine contains "-responsepester"))))

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wermgr_susp_child_process.yml