Merge PR SigmaHQ#4753 from @defensivedepth - Update `Wlrmdr.EXE Uncom…

…mon Argument Or Child Process` update: Wlrmdr.EXE Uncommon Argument Or Child Process - Update metadata, add new filters and use the windash modifier. --------- Co-authored-by: nasbench <[email protected]>
frack113 · Mar 6, 2024 · 9263f05 · 9263f05
1 parent 372d9ef
commit 9263f05
Showing 1 changed file with 17 additions and 11 deletions.
diff --git a/...ation/proc_creation_win_lolbin_wlrmdr.yml → ...ion_win_wlrmdr_uncommon_child_process.yml b/...ation/proc_creation_win_lolbin_wlrmdr.yml → ...ion_win_wlrmdr_uncommon_child_process.yml
@@ -1,38 +1,44 @@
-title: Wlrmdr Lolbin Use as Launcher
+title: Wlrmdr.EXE Uncommon Argument Or Child Process
 id: 9cfc00b6-bfb7-49ce-9781-ef78503154bb
 status: test
-description: Detects use of Wlrmdr.exe in which the -u parameter is passed to ShellExecute
+description: |
+    Detects the execution of "Wlrmdr.exe" with the "-u" command line flag which allows anything passed to it to be an argument of the ShellExecute API, which would allow an attacker to execute arbitrary binaries.
+    This detection also focuses on any uncommon child processes spawned from "Wlrmdr.exe" as a supplement for those that posses "ParentImage" telemetry.
 references:
     - https://twitter.com/0gtweet/status/1493963591745220608?s=20&t=xUg9DsZhJy1q9bPTUWgeIQ
+    - https://lolbas-project.github.io/lolbas/Binaries/Wlrmdr/
 author: frack113, manasmbellani
 date: 2022/02/16
-modified: 2022/12/06
+modified: 2024/03/06
 tags:
     - attack.defense_evasion
     - attack.t1218
 logsource:
     category: process_creation
     product: windows
 detection:
+    selection_parent: # This selection is looking for processes spawned from wlrmdr using the "-u" flag
+        ParentImage|endswith: '\wlrmdr.exe'
     selection_child_img:
         - Image|endswith: '\wlrmdr.exe'
         - OriginalFileName: 'WLRMNDR.EXE'
     selection_child_cli:
-        CommandLine|contains|all:
-            # Note that the dash "-" can be replaced with a slash "/" (TODO: Use the "windash" modifier when it's introduced)
+        CommandLine|contains|all|windash:
             - '-s '
             - '-f '
             - '-t '
             - '-m '
             - '-a '
             - '-u '
-    selection_parent: # This selection is looking for processes spawned from wlrmdr using the "-u" flag
-        ParentImage|endswith: '\wlrmdr.exe'
-    filter:
+    filter_main_winlogon:
         ParentImage: 'C:\Windows\System32\winlogon.exe'
-    filter_null:
-        ParentImage: '-'
-    condition: selection_parent or (all of selection_child_* and not 1 of filter*)
+    filter_main_empty:
+        ParentImage:
+            - ''
+            - '-'
+    filter_main_null:
+        ParentImage: null
+    condition: selection_parent or (all of selection_child_* and not 1 of filter_main_*)
 falsepositives:
     - Unknown
 level: medium