
Summary
This detection rule targets the execution of the 'Wlrmdr.exe' process using the '-u' command line argument, which can potentially allow attackers to execute arbitrary commands via the ShellExecute API. In addition to this specific command line usage, the rule also detects any uncommon child processes spawned from 'Wlrmdr.exe'. The detection focuses on scenarios where 'Wlrmdr.exe' is used with certain flags, specifically those flags that could be indicative of potential defense evasion tactics. The rule includes various child image filters and command line arguments to ensure proper coverage while filtering out typical or benign executions associated with the Windows logon process and empty or null parent images. This approach enhances the fidelity of detection by minimizing false positives related to normal system behaviors.
Categories
- Windows
- Endpoint
Data Sources
- Process
Created: 2022-02-16