Detectionmediumexperimental

Wlrmdr.EXE Uncommon Argument Or Child Process

Detects the execution of "Wlrmdr.exe" with the "-u" command line flag which allows anything passed to it to be an argument of the ShellExecute API, which would allow an attacker to execute arbitrary binaries. This detection also focuses on any uncommon child processes spawned from "Wlrmdr.exe" as a supplement for those that posses "ParentImage" telemetry.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

François Hubaut, manasmbellaniCreated Wed Feb 16Updated Fri Oct 319cfc00b6-bfb7-49ce-9781-ef78503154bbwindows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection_parent: # This selection is looking for processes spawned from wlrmdr using the "-u" flag
        ParentImage|endswith: '\wlrmdr.exe'
    selection_child_img:
        - Image|endswith: '\wlrmdr.exe'
        - OriginalFileName: 'WLRMNDR.EXE'
    selection_child_cli_flags_s:
        CommandLine|contains|windash: '-s '
    selection_child_cli_flags_f:
        CommandLine|contains|windash: '-f '
    selection_child_cli_flags_t:
        CommandLine|contains|windash: '-t '
    selection_child_cli_flags_m:
        CommandLine|contains|windash: '-m '
    selection_child_cli_flags_a:
        CommandLine|contains|windash: '-a '
    selection_child_cli_flags_u:
        CommandLine|contains|windash: '-u '
    filter_main_winlogon:
        ParentImage: 'C:\Windows\System32\winlogon.exe'
    filter_main_empty:
        ParentImage:
            - ''
            - '-'
    filter_main_null:
        ParentImage: null
    condition: selection_parent or (all of selection_child_* and not 1 of filter_main_*)