Generated docs from job=generate-docs branch=master [ci skip]

README.md

@@ -2,7 +2,7 @@
 
 # Atomic Red Team
 
-![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1615-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
+![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1616-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
 
 Atomic Red Team™ is a library of tests mapped to the
 [MITRE ATT&CK®](https://attack.mitre.org/) framework. Security teams can use

atomics/Indexes/Indexes-CSV/index.csv

@@ -203,6 +203,7 @@ defense-evasion,T1218,Signed Binary Proxy Execution,12,Lolbas ie4uinit.exe use a
 defense-evasion,T1218,Signed Binary Proxy Execution,13,LOLBAS CustomShellHost to Spawn Process,b1eeb683-90bb-4365-bbc2-2689015782fe,powershell
 defense-evasion,T1218,Signed Binary Proxy Execution,14,Provlaunch.exe Executes Arbitrary Command via Registry Key,ab76e34f-28bf-441f-a39c-8db4835b89cc,command_prompt
 defense-evasion,T1218,Signed Binary Proxy Execution,15,LOLBAS Msedge to Spawn Process,e5eedaed-ad42-4c1e-8783-19529738a349,powershell
+defense-evasion,T1218,Signed Binary Proxy Execution,16,System Binary Proxy Execution - Wlrmdr Lolbin,7816c252-b728-4ea6-a683-bd9441ca0b71,powershell
 defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,1,Set a file's access timestamp,5f9113d5-ed75-47ed-ba23-ea3573d05810,sh
 defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,2,Set a file's modification timestamp,20ef1523-8758-4898-b5a2-d026cc3d2c52,sh
 defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,3,Set a file's creation timestamp,8164a4a6-f99c-4661-ac4f-80f5e4e78d2b,sh

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -126,6 +126,7 @@ defense-evasion,T1218,Signed Binary Proxy Execution,12,Lolbas ie4uinit.exe use a
 defense-evasion,T1218,Signed Binary Proxy Execution,13,LOLBAS CustomShellHost to Spawn Process,b1eeb683-90bb-4365-bbc2-2689015782fe,powershell
 defense-evasion,T1218,Signed Binary Proxy Execution,14,Provlaunch.exe Executes Arbitrary Command via Registry Key,ab76e34f-28bf-441f-a39c-8db4835b89cc,command_prompt
 defense-evasion,T1218,Signed Binary Proxy Execution,15,LOLBAS Msedge to Spawn Process,e5eedaed-ad42-4c1e-8783-19529738a349,powershell
+defense-evasion,T1218,Signed Binary Proxy Execution,16,System Binary Proxy Execution - Wlrmdr Lolbin,7816c252-b728-4ea6-a683-bd9441ca0b71,powershell
 defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,5,Windows - Modify file creation timestamp with PowerShell,b3b2c408-2ff0-4a33-b89b-1cb46a9e6a9c,powershell
 defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,6,Windows - Modify file last modified timestamp with PowerShell,f8f6634d-93e1-4238-8510-f8a90a20dcf2,powershell
 defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,7,Windows - Modify file last access timestamp with PowerShell,da627f63-b9bd-4431-b6f8-c5b44d061a62,powershell

atomics/Indexes/Indexes-Markdown/index.md

@@ -258,6 +258,7 @@
   - Atomic Test #13: LOLBAS CustomShellHost to Spawn Process [windows]
   - Atomic Test #14: Provlaunch.exe Executes Arbitrary Command via Registry Key [windows]
   - Atomic Test #15: LOLBAS Msedge to Spawn Process [windows]
+  - Atomic Test #16: System Binary Proxy Execution - Wlrmdr Lolbin [windows]
 - [T1070.006 Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md)
   - Atomic Test #1: Set a file's access timestamp [linux, macos]
   - Atomic Test #2: Set a file's modification timestamp [linux, macos]

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -170,6 +170,7 @@
   - Atomic Test #13: LOLBAS CustomShellHost to Spawn Process [windows]
   - Atomic Test #14: Provlaunch.exe Executes Arbitrary Command via Registry Key [windows]
   - Atomic Test #15: LOLBAS Msedge to Spawn Process [windows]
+  - Atomic Test #16: System Binary Proxy Execution - Wlrmdr Lolbin [windows]
 - [T1070.006 Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md)
   - Atomic Test #5: Windows - Modify file creation timestamp with PowerShell [windows]
   - Atomic Test #6: Windows - Modify file last modified timestamp with PowerShell [windows]

atomics/Indexes/index.yaml

@@ -9771,6 +9771,21 @@ defense-evasion:
           taskkill -f -im calc.exe
           taskkill -f -im win32calc.exe
         name: powershell
+    - name: System Binary Proxy Execution - Wlrmdr Lolbin
+      auto_generated_guid: 7816c252-b728-4ea6-a683-bd9441ca0b71
+      description: Use wlrmdr(Windows Logon Reminder executable) as a proxy binary
+        to evade defensive countermeasures
+      supported_platforms:
+      - windows
+      input_arguments:
+        payload_path:
+          description: Path to the executable
+          type: String
+          default: C:\Windows\System32\calc.exe
+      executor:
+        command: wlrmdr.exe -s 3600 -f 0 -t _ -m _ -a 11 -u "#{payload_path}"
+        name: powershell
+        elevation_required: false
   T1070.006:
     technique:
       x_mitre_platforms:

atomics/Indexes/windows-index.yaml

@@ -7734,6 +7734,21 @@ defense-evasion:
           taskkill -f -im calc.exe
           taskkill -f -im win32calc.exe
         name: powershell
+    - name: System Binary Proxy Execution - Wlrmdr Lolbin
+      auto_generated_guid: 7816c252-b728-4ea6-a683-bd9441ca0b71
+      description: Use wlrmdr(Windows Logon Reminder executable) as a proxy binary
+        to evade defensive countermeasures
+      supported_platforms:
+      - windows
+      input_arguments:
+        payload_path:
+          description: Path to the executable
+          type: String
+          default: C:\Windows\System32\calc.exe
+      executor:
+        command: wlrmdr.exe -s 3600 -f 0 -t _ -m _ -a 11 -u "#{payload_path}"
+        name: powershell
+        elevation_required: false
   T1070.006:
     technique:
       x_mitre_platforms:

atomics/T1218/T1218.md

@@ -36,6 +36,8 @@ Similarly, on Linux systems adversaries may abuse trusted binaries such as <code
 
 - [Atomic Test #15 - LOLBAS Msedge to Spawn Process](#atomic-test-15---lolbas-msedge-to-spawn-process)
 
+- [Atomic Test #16 - System Binary Proxy Execution - Wlrmdr Lolbin](#atomic-test-16---system-binary-proxy-execution---wlrmdr-lolbin)
+
 
 <br/>
 
@@ -726,4 +728,37 @@ taskkill -f -im win32calc.exe
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #16 - System Binary Proxy Execution - Wlrmdr Lolbin
+Use wlrmdr(Windows Logon Reminder executable) as a proxy binary to evade defensive countermeasures
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 7816c252-b728-4ea6-a683-bd9441ca0b71
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| payload_path | Path to the executable | String | C:&#92;Windows&#92;System32&#92;calc.exe|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+wlrmdr.exe -s 3600 -f 0 -t _ -m _ -a 11 -u "#{payload_path}"
+```
+
+
+
+
+
+
 <br/>

atomics/T1218/T1218.yaml

@@ -402,7 +402,7 @@ atomic_tests:
       taskkill -f -im win32calc.exe
     name: powershell
 - name: System Binary Proxy Execution - Wlrmdr Lolbin
-  auto_generated_guid: 
+  auto_generated_guid: 7816c252-b728-4ea6-a683-bd9441ca0b71
   description: Use wlrmdr(Windows Logon Reminder executable) as a proxy binary to evade defensive countermeasures
   supported_platforms:
   - windows

atomics/used_guids.txt

@@ -1654,3 +1654,4 @@ f2915249-4485-42e2-96b7-9bf34328d497
 6904235f-0f55-4039-8aed-41c300ff7733
 004a5d68-627b-452d-af3d-43bd1fc75a3b
 573d15da-c34e-4c59-a7d2-18f20d92dfa3
+7816c252-b728-4ea6-a683-bd9441ca0b71