Wlrmdr.EXE Uncommon Argument Or Child Process (9cfc00b6-bfb7-49ce-9781-ef78503154bb)
Detects the execution of "Wlrmdr.exe" with the "-u" command line flag which allows anything passed to it to be an argument of the ShellExecute API, which would allow an attacker to execute arbitrary binaries. This detection also focuses on any uncommon child processes spawned from "Wlrmdr.exe" as a supplement for those that posses "ParentImage" telemetry.
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) | Attack Pattern | Wlrmdr.EXE Uncommon Argument Or Child Process (9cfc00b6-bfb7-49ce-9781-ef78503154bb) | Sigma-Rules | 1 |