public-mirrors/LOLBAS
1
0
Fork 0
mirror of https://github.com/LOLBAS-Project/LOLBAS synced 2024-12-27 07:18:05 +01:00
Code Issues Projects Releases Wiki Activity

Create wlrmdr.yml (#194)

Browse Source 
Co-authored-by: Wietze <wietze@users.noreply.github.com>
This commit is contained in:
Moshe Kaplan 2022-02-16 15:41:14 -05:00 committed by GitHub
parent a7f7ec2cc2
commit 12c85eb8f0
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 31 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
yml/OSBinaries/wlrmdr.yml Normal file
View File

@ -0,0 +1,31 @@
---
Name: Wlrmdr.exe
Description: Windows Logon Reminder executable
Author: 'Moshe Kaplan'
Created: 2021-11-08
Commands:
- Command: wlrmdr.exe -s 3600 -f 0 -t _ -m _ -a 11 -u calc.exe
Description: Execute calc.exe with the parent process spawning from wlrmdr.exe
Usecase: Use wlrmdr as a proxy binary to evade defensive countermeasures
Category: Execute
Privileges: User
MitreID: T1202
OperatingSystem: Windows 10
Full_Path:
- Path: c:\windows\system32\wlrmdr.exe
Code_Sample:
- Code:
Detection:
- IOC: wlrmdr.exe spawning any new processes
Resources:
- Link: https://twitter.com/0gtweet/status/1493963591745220608
- Link: https://twitter.com/Oddvarmoe/status/927437787242090496
- Link: https://twitter.com/falsneg/status/1461625526640992260
- Link: https://docs.microsoft.com/en-us/windows/win32/api/shellapi/ns-shellapi-notifyicondataw
Acknowledgement:
- Person: Grzegorz Tworek
Handle: '@0gtweet'
- Person: Oddvar Moe
Handle: '@Oddvarmoe'
- Person: Freddy
Handle: '@falsneg'