Suspicious Provlaunch.EXE Child Process
Detects suspicious child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution.
Sigma rule (View on GitHub)
1title: Suspicious Provlaunch.EXE Child Process
2id: f9999590-1f94-4a34-a91e-951e47bedefd
3related:
4 - id: 7f5d1c9a-3e83-48df-95a7-2b98aae6c13c # CLI Generic
5 type: similar
6 - id: 2a4b3e61-9d22-4e4a-b60f-6e8f0cde6f25 # CLI Registry
7 type: similar
8 - id: 7021255e-5db3-4946-a8b9-0ba7a4644a69 # Registry
9 type: similar
10status: experimental
11description: Detects suspicious child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution.
12references:
13 - https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/
14 - https://twitter.com/0gtweet/status/1674399582162153472
15author: Nasreddine Bencherchali (Nextron Systems)
16date: 2023/08/08
17tags:
18 - attack.defense_evasion
19 - attack.t1218
20logsource:
21 category: process_creation
22 product: windows
23detection:
24 selection_parent:
25 ParentImage|endswith: '\provlaunch.exe'
26 selection_child:
27 - Image|endswith:
28 - '\calc.exe'
29 - '\cmd.exe'
30 - '\cscript.exe'
31 - '\mshta.exe'
32 - '\notepad.exe'
33 - '\powershell.exe'
34 - '\pwsh.exe'
35 - '\regsvr32.exe'
36 - '\rundll32.exe'
37 - '\wscript.exe'
38 - Image|contains:
39 - ':\PerfLogs\'
40 - ':\Temp\'
41 - ':\Users\Public\'
42 - '\AppData\Temp\'
43 - '\Windows\System32\Tasks\'
44 - '\Windows\Tasks\'
45 - '\Windows\Temp\'
46 condition: all of selection_*
47falsepositives:
48 - Unknown
49level: high
References
-
Executes command defined in the Registry. Requires 3 levels of the key structure containing some keywords. Such keys may be created with two reg.exe commands, e.g. "reg.exe add HKLM\SOFTWARE\Micros...
Read More -
Related rules
- Potential Provlaunch.EXE Binary Proxy Execution Abuse
- Potential Register_App.Vbs LOLScript Abuse
- Suspicious Child Process Of BgInfo.EXE
- Suspicious Csi.exe Usage
- Windows Shell/Scripting Processes Spawning Suspicious Programs