splApache-2.0from splunk/security_content
Wermgr Process Create Executable File
The following analytic detects the wermgr.exe process creating an executable file. It leverages Sysmon EventCode 11 to identify instances where wermgr.exe generates a .exe file. This behavior is unusual because wermgr.exe is typically associated with error reporting, not file creation. Such activity is significant as it may indicate TrickBot malware, which injects code into wermgr.exe to execute malicious actions like downloading additional payloads. If confirmed malicious, this could lead to further malware infections, data exfiltration, or system compromise.
Quality
59
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/wermgr_process_create_executable_file.yml
`sysmon` EventCode=11 process_name = "wermgr.exe" TargetFilename = "*.exe"
| stats min(_time) as firstTime max(_time) as lastTime count
BY action dest file_name
file_path process_guid process_id
user_id vendor_product
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `wermgr_process_create_executable_file_filter`