This analytic rule detects the spawning of command (cmd) or PowerShell processes initiated by the Windows Error Reporting Manager (wermgr.exe). Utilizing data from Endpoint Detection and Response (EDR) agents, the detection focuses on telemetry related to process creations, specifically monitoring parent-child relationships and command line arguments. This behavior is notably linked to malicious activities, particularly in threats like TrickBot, which often utilize wermgr.exe as a vector to execute harmful code through shell commands or to load malicious DLLs. Should this activity be confirmed as malicious, it allows attackers to execute arbitrary code, potentially escalate privileges, or establish persistence, creating significant risks to system integrity.