Detection / DETPublic file

Windows Error Reporting Process Spawns a Command Shell

Detects a Windows command shell launched by wermgr.exe, matching the successful RoguePlanet privilege-escalation outcome after Defender remediation replaces the Windows Error Reporting executable and a privileged scheduled task runs it.

Sigma source

Raw YAML
title: Windows Error Reporting Process Spawns a Command Shell
id: 4bd28389-d5ce-40b7-bf12-9487267cdece
status: stable
author: FRAME ZERO
date: 2026-07-17
description: Detects a Windows command shell launched by wermgr.exe, matching the successful RoguePlanet privilege-escalation outcome after Defender remediation replaces the Windows Error Reporting executable and a privileged scheduled task runs it.
references:
  - https://www.threatlocker.com/blog/microsoft-defender-zero-day-rogueplanet-grants-system-privileges
  - https://github.com/MSNightmare/RoguePlanet
logsource:
  category: process_creation
  product: windows
detection:
  selection_parent:
    ParentImage|endswith: '\wermgr.exe'
  selection_child:
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\pwsh.exe'
  condition: selection_parent and selection_child
falsepositives:
  - Crash-response or diagnostic tooling that intentionally uses Windows Error Reporting to launch a command interpreter
  - Security testing that reproduces the RoguePlanet proof of concept in an isolated environment
level: high
tags:
  - attack.privilege-escalation
  - attack.t1068
related_publication: rogueplanet-defender-remediation-system-escalation
telemetry_assumptions:
  - Endpoint process telemetry preserves full parent-child image paths, user context, integrity level, and process identifiers.
  - Analysts can correlate the shell launch with recent Defender remediation, wermgr.exe file changes, scheduled-task execution, and activity from a low-privilege user session.

Relationships

Related files