Detection rules › Splunk
Windows App Layer Protocol Wermgr Connect To NamedPipe
The following analytic detects the wermgr.exe process creating or connecting to a named pipe. It leverages Sysmon EventCodes 17 and 18 to identify these actions. This activity is significant because wermgr.exe, a legitimate Windows OS Problem Reporting application, is often abused by malware such as Trickbot and Qakbot to execute malicious code. If confirmed malicious, this behavior could indicate that an attacker has injected code into wermgr.exe, potentially allowing them to communicate covertly, escalate privileges, or persist within the environment.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Command & Control | T1071 Application Layer Protocol |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 17 | PipeEvent (Pipe Created) |
| Sysmon | 18 | PipeEvent (Pipe Connected) |
Stages and Predicates
Stage 1: search
search EventCode IN (17, 18) EventType IN ("ConnectPipe", "CreatePipe") Image="*\\wermgr.exe"
Stage 2: stats
stats BY dest, dvc, pipe_name, process_exec, process_guid, process_id, process_name, process_path, signature, signature_id, user_id, vendor_product, Image, PipeName
Stage 3: search
search
Stage 4: search
search
Stage 5: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | in |
|
EventType | in |
|
Image | eq |
|
Neighbors
Often fire together
Rules that target events appearing in the same incident timelines. They pattern-match on adjacent steps of the same TTP, so an alert from one is often paired with alerts from these. Useful for triage context and for assembling chained-detection rules.
Share event IDs (chain-detection candidates)
Rules that observe the same Windows event-ID pairs as this one. If you're authoring a multi-stage / sequence rule that spans these events, these are the existing detections that already cover one or both endpoints.