Detecting the presence of wermgr spawning suspicious child

Rule added on 20th February, 2024

In this page

Prerequisite:

The rule requires sysmon to be enabled for proper functioning.

Rule type:

Correlation rule

Rule description:

wermgr.exe is a Windows error reporting tool. This rule monitors if it creates child processes (new programs) that are deemed suspicious, potentially indicating malware exploiting wermgr for malicious purposes.

Data source:

Windows: User account, process, network traffic, script

Relevant MITRE ATT&CK techniques and tactics:

Criteria:

Parent Process Name ends with "wermgr.exe": This part of the rule focuses on the parent process. It checks if the parent process name ends with "wermgr.exe".

Process name not ends with ("WerFaultSecure.exe", "wermgr.exe", "WerFault.exe"): This part looks at the child process spawned by the parent process (wermgr.exe). It excludes child processes with names "WerFaultSecure.exe", "wermgr.exe", and "WerFault.exe" because these are known legitimate processes related to error reporting.

When to enable this rule:

Enable this rule when the user wants to detect lateral movement techniques employed by adversaries through wermgr spawning suspicious child processes.

Compliance mapping:

NIST Cybersecurity Framework (CSF): DE.AE (Detection Processes) for monitoring and detecting irregular process activities suggesting malware or attacker presence.

CIS: 8 (Malware Defense) to identify and counteract attempts to exploit the Windows Error Reporting Manager for malicious purposes.

Next steps:

Upon triggering this alert, the following actions can be taken:

  • Identification: Mark this alert as a part of an existing incident or initiate a new incident. Assigning the incident to an analyst for in-depth examination.
  • Analysis: Conduct an impact investigation and thoroughly analyze the degree of compromise utilizing the Incident Workbench to gain insights into the threat's severity.
  • Response: Initiate automated workflow execution to swiftly terminate the identified malicious process, leveraging Workflows for prompt mitigation.