Suspicious Provlaunch.EXE Child Process
Detects suspicious child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution.
Sigma rule (View on GitHub)
1title: Suspicious Provlaunch.EXE Child Process
2id: f9999590-1f94-4a34-a91e-951e47bedefd
3related:
4 - id: 7f5d1c9a-3e83-48df-95a7-2b98aae6c13c # CLI Generic
5 type: similar
6 - id: 2a4b3e61-9d22-4e4a-b60f-6e8f0cde6f25 # CLI Registry
7 type: similar
8 - id: 7021255e-5db3-4946-a8b9-0ba7a4644a69 # Registry
9 type: similar
10status: test
11description: Detects suspicious child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution.
12references:
13 - https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/
14 - https://twitter.com/0gtweet/status/1674399582162153472
15author: Nasreddine Bencherchali (Nextron Systems)
16date: 2023-08-08
17tags:
18 - attack.defense-evasion
19 - attack.t1218
20logsource:
21 category: process_creation
22 product: windows
23detection:
24 selection_parent:
25 ParentImage|endswith: '\provlaunch.exe'
26 selection_child:
27 - Image|endswith:
28 - '\calc.exe'
29 - '\cmd.exe'
30 - '\cscript.exe'
31 - '\mshta.exe'
32 - '\notepad.exe'
33 - '\powershell.exe'
34 - '\pwsh.exe'
35 - '\regsvr32.exe'
36 - '\rundll32.exe'
37 - '\wscript.exe'
38 - Image|contains:
39 - ':\PerfLogs\'
40 - ':\Temp\'
41 - ':\Users\Public\'
42 - '\AppData\Temp\'
43 - '\Windows\System32\Tasks\'
44 - '\Windows\Tasks\'
45 - '\Windows\Temp\'
46 condition: all of selection_*
47falsepositives:
48 - Unknown
49level: high
References
-
Provlaunch.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.
Read More
Related rules
- Abusing Print Executable
- AddinUtil.EXE Execution From Uncommon Directory
- AgentExecutor PowerShell Execution
- Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE
- Arbitrary File Download Via MSOHTMED.EXE