Detection rules › Sigma
Wlrmdr.EXE Uncommon Argument Or Child Process
Detects the execution of "Wlrmdr.exe" with the "-u" command line flag which allows anything passed to it to be an argument of the ShellExecute API, which would allow an attacker to execute arbitrary binaries. This detection also focuses on any uncommon child processes spawned from "Wlrmdr.exe" as a supplement for those that posses "ParentImage" telemetry.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Defense Evasion | T1218 System Binary Proxy Execution |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 1 | Process creation |
Stages and Predicates
Stage 1: selection_parent
ParentImage|endswith: '\wlrmdr.exe'
Stage 2: all of selection_child_img
or:
Image|endswith: '\wlrmdr.exe'
OriginalFileName: WLRMNDR.EXE
Stage 3: all of selection_child_cli_flags_s
CommandLine|contains: '-s '
Stage 4: all of selection_child_cli_flags_f
CommandLine|contains: '-f '
Stage 5: all of selection_child_cli_flags_t
CommandLine|contains: '-t '
Stage 6: all of selection_child_cli_flags_m
CommandLine|contains: '-m '
Stage 7: all of selection_child_cli_flags_a
CommandLine|contains: '-a '
Stage 8: all of selection_child_cli_flags_u
CommandLine|contains: '-u '
Stage 9: not 1 of filter_main_*
or:
ParentImage: ''
ParentImage: -
ParentImage: 'C:\Windows\System32\winlogon.exe'
ParentImage: null
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
CommandLine | match |
|
Image | ends_with |
|
OriginalFileName | eq |
|
ParentImage | ends_with |
|
ParentImage | eq |
|