Potential Provlaunch.EXE Binary Proxy Execution Abuse

Detects child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution.

Sigma rule (View on GitHub)

 1title: Potential Provlaunch.EXE Binary Proxy Execution Abuse
 2id: 7f5d1c9a-3e83-48df-95a7-2b98aae6c13c
 3related:
 4    - id: f9999590-1f94-4a34-a91e-951e47bedefd # CLI Abuse
 5      type: similar
 6    - id: 2a4b3e61-9d22-4e4a-b60f-6e8f0cde6f25 # CLI Registry
 7      type: similar
 8    - id: 7021255e-5db3-4946-a8b9-0ba7a4644a69 # Registry
 9      type: similar
10status: test
11description: Detects child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution.
12references:
13    - https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/
14    - https://twitter.com/0gtweet/status/1674399582162153472
15author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel
16date: 2023-08-08
17tags:
18    - attack.defense-evasion
19    - attack.t1218
20logsource:
21    category: process_creation
22    product: windows
23detection:
24    selection:
25        ParentImage|endswith: '\provlaunch.exe'
26    filter_main_covered_children:
27        # Note: this filter is here to avoid duplicate alerting by f9999590-1f94-4a34-a91e-951e47bedefd
28        - Image|endswith:
29              - '\calc.exe'
30              - '\cmd.exe'
31              - '\cscript.exe'
32              - '\mshta.exe'
33              - '\notepad.exe'
34              - '\powershell.exe'
35              - '\pwsh.exe'
36              - '\regsvr32.exe'
37              - '\rundll32.exe'
38              - '\wscript.exe'
39        - Image|contains:
40              - ':\PerfLogs\'
41              - ':\Temp\'
42              - ':\Users\Public\'
43              - '\AppData\Temp\'
44              - '\Windows\System32\Tasks\'
45              - '\Windows\Tasks\'
46              - '\Windows\Temp\'
47    condition: selection and not 1 of filter_main_*
48falsepositives:
49    - Unknown
50level: medium

References

Related rules

to-top