From 12c85eb8f07fe53e4d1d68795b414f7c25514c2b Mon Sep 17 00:00:00 2001
From: Moshe Kaplan <me@moshekaplan.com>
Date: Wed, 16 Feb 2022 15:41:14 -0500
Subject: [PATCH] Create wlrmdr.yml (#194)

Co-authored-by: Wietze <wietze@users.noreply.github.com>
---
 yml/OSBinaries/wlrmdr.yml | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)
 create mode 100644 yml/OSBinaries/wlrmdr.yml

diff --git a/yml/OSBinaries/wlrmdr.yml b/yml/OSBinaries/wlrmdr.yml
new file mode 100644
index 0000000..5a7a993
--- /dev/null
+++ b/yml/OSBinaries/wlrmdr.yml
@@ -0,0 +1,31 @@
+---
+Name: Wlrmdr.exe
+Description: Windows Logon Reminder executable
+Author: 'Moshe Kaplan'
+Created: 2021-11-08
+Commands:
+  - Command: wlrmdr.exe -s 3600 -f 0 -t _ -m _ -a 11 -u calc.exe
+    Description: Execute calc.exe with the parent process spawning from wlrmdr.exe
+    Usecase: Use wlrmdr as a proxy binary to evade defensive countermeasures
+    Category: Execute
+    Privileges: User
+    MitreID: T1202
+    OperatingSystem: Windows 10
+Full_Path:
+  - Path: c:\windows\system32\wlrmdr.exe
+Code_Sample:
+  - Code:
+Detection:
+  - IOC: wlrmdr.exe spawning any new processes
+Resources:
+  - Link: https://twitter.com/0gtweet/status/1493963591745220608
+  - Link: https://twitter.com/Oddvarmoe/status/927437787242090496
+  - Link: https://twitter.com/falsneg/status/1461625526640992260
+  - Link: https://docs.microsoft.com/en-us/windows/win32/api/shellapi/ns-shellapi-notifyicondataw
+Acknowledgement:
+  - Person: Grzegorz Tworek
+    Handle: '@0gtweet'
+  - Person: Oddvar Moe
+    Handle: '@Oddvarmoe'
+  - Person: Freddy
+    Handle: '@falsneg'