Wlrmdr.EXE Uncommon Argument Or Child Process

 1title: Wlrmdr.EXE Uncommon Argument Or Child Process
 2id: 9cfc00b6-bfb7-49ce-9781-ef78503154bb
 3status: test
 4description: |
 5    Detects the execution of "Wlrmdr.exe" with the "-u" command line flag which allows anything passed to it to be an argument of the ShellExecute API, which would allow an attacker to execute arbitrary binaries.
 6    This detection also focuses on any uncommon child processes spawned from "Wlrmdr.exe" as a supplement for those that posses "ParentImage" telemetry.    
 7references:
 8    - https://twitter.com/0gtweet/status/1493963591745220608?s=20&t=xUg9DsZhJy1q9bPTUWgeIQ
 9    - https://lolbas-project.github.io/lolbas/Binaries/Wlrmdr/
10author: frack113, manasmbellani
11date: 2022-02-16
12modified: 2024-03-06
13tags:
14    - attack.defense-evasion
15    - attack.t1218
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection_parent: # This selection is looking for processes spawned from wlrmdr using the "-u" flag
21        ParentImage|endswith: '\wlrmdr.exe'
22    selection_child_img:
23        - Image|endswith: '\wlrmdr.exe'
24        - OriginalFileName: 'WLRMNDR.EXE'
25    selection_child_cli:
26        CommandLine|contains|all|windash:
27            - '-s '
28            - '-f '
29            - '-t '
30            - '-m '
31            - '-a '
32            - '-u '
33    filter_main_winlogon:
34        ParentImage: 'C:\Windows\System32\winlogon.exe'
35    filter_main_empty:
36        ParentImage:
37            - ''
38            - '-'
39    filter_main_null:
40        ParentImage: null
41    condition: selection_parent or (all of selection_child_* and not 1 of filter_main_*)
42falsepositives:
43    - Unknown
44level: medium