Detection rules › Splunk
Wermgr Process Connecting To IP Check Web Services
The following analytic detects the wermgr.exe process attempting to connect to known IP check web services. It leverages Sysmon EventCode 22 to identify DNS queries made by wermgr.exe to specific IP check services. This activity is significant because wermgr.exe is typically used for Windows error reporting, and its connection to these services may indicate malicious code injection, often associated with malware like Trickbot. If confirmed malicious, this behavior could allow attackers to recon the infected machine's IP address, aiding in further exploitation and evasion tactics.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Reconnaissance | T1590.005 Gather Victim Network Information: IP Addresses |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 22 | DNSEvent (DNS query) |
Stages and Predicates
Stage 1: search
search EventCode=22 QueryName IN ("*api.ip.sb", "*api.ipify.org", "*b.barracudacentral.org", "*cbl.abuseat.org", "*checkip.amazonaws.com", "*dnsbl-1.uceprotect.net", "*icanhazip.com", "*ip.anysrc.com", "*ipecho.net", "*ipinfo.io", "*spam.dnsbl.sorbs.net", "*wtfismyip.com", "*zen.spamhaus.org", "ident.me", "www.myexternalip.com") process_name="wermgr.exe"
Stage 2: stats
stats BY answer, answer_count, dvc, process_exec, process_guid, process_name, query, query_count, reply_code_id, signature, signature_id, src, user_id, vendor_product, QueryName, QueryResults, QueryStatus
Stage 3: search
search
Stage 4: search
search
Stage 5: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
QueryName | in |
|
process_name | eq |
|