Skip to content

RoguePlanet Exploit Rules#6109

Open
st0pp3r wants to merge 11 commits into
SigmaHQ:masterfrom
st0pp3r:master
Open

RoguePlanet Exploit Rules#6109
st0pp3r wants to merge 11 commits into
SigmaHQ:masterfrom
st0pp3r:master

Conversation

@st0pp3r

@st0pp3r st0pp3r commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

Summary of the Pull Request

This PR adds four new experimental Sigma rules to detect indicators and execution artifacts associated with the RoguePlanet local privilege escalation exploit on Windows.

The rules detect:

Creation of wermgr.exe within RoguePlanet's characteristic RP_ temporary staging directories.
Creation or use of the \RoguePlanet named pipe.
Suspicious process chains where wermgr.exe launches conhost.exe, which subsequently spawns command interpreters such as cmd.exe, powershell.exe, pwsh.exe, or powershell_ise.exe.
Windows Defender Event ID 1119 indicating wermgr.exe is detected as the EICAR test file or the presence of the RoguePlanet.exe process.

Changelog

new: RoguePlanet - wermgr.exe staged in RP_ Prefixed Temp Dir
new: RoguePlanet - Named Pipe Created
new: RoguePlanet - Conhost.exe Spawned by wermgr.exe
new: RoguePlanet - Wermgr.exe Detected As EICAR Test File

Example Log Event

Fixed Issues

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant