splApache-2.0from splunk/security_content
Windows App Layer Protocol Wermgr Connect To NamedPipe
The following analytic detects the wermgr.exe process creating or connecting to a named pipe. It leverages Sysmon EventCodes 17 and 18 to identify these actions. This activity is significant because wermgr.exe, a legitimate Windows OS Problem Reporting application, is often abused by malware such as Trickbot and Qakbot to execute malicious code. If confirmed malicious, this behavior could indicate that an attacker has injected code into wermgr.exe, potentially allowing them to communicate covertly, escalate privileges, or persist within the environment.
Quality
59
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/windows_app_layer_protocol_wermgr_connect_to_namedpipe.yml
`sysmon` EventCode IN (17, 18) Image= "*\\wermgr.exe" EventType IN ( "CreatePipe", "ConnectPipe") | stats min(_time) as firstTime max(_time) as lastTime count by dest dvc pipe_name process_exec process_guid process_id process_name process_path signature signature_id user_id vendor_product Image PipeName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_app_layer_protocol_wermgr_connect_to_namedpipe_filter`