Update T1218.yaml (#2855)

* Update T1218.yaml * Update T1218.yaml * Update T1218.yaml --------- Co-authored-by: Hare Sudhan <[email protected]> Co-authored-by: Carrie Roberts <[email protected]>
redcanaryco · Jul 24, 2024 · 5fc2f6d · 5fc2f6d
1 parent b0f5fc1
commit 5fc2f6d
Showing 1 changed file with 15 additions and 0 deletions.
diff --git a/atomics/T1218/T1218.yaml b/atomics/T1218/T1218.yaml
@@ -401,3 +401,18 @@ atomic_tests:
       taskkill -f -im calc.exe
       taskkill -f -im win32calc.exe
     name: powershell
+- name: System Binary Proxy Execution - Wlrmdr Lolbin
+  auto_generated_guid: 
+  description: Use wlrmdr(Windows Logon Reminder executable) as a proxy binary to evade defensive countermeasures
+  supported_platforms:
+  - windows
+  input_arguments:
+    payload_path:
+      description: Path to the executable
+      type: String
+      default: C:\Windows\System32\calc.exe
+  executor:
+    command: wlrmdr.exe -s 3600 -f 0 -t _ -m _ -a 11 -u "#{payload_path}"
+    name: powershell
+    elevation_required: false
+