Suspicious Provlaunch.EXE Child Process

Detects suspicious child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution.

Sigma rule (View on GitHub)

 1title: Suspicious Provlaunch.EXE Child Process
 2id: f9999590-1f94-4a34-a91e-951e47bedefd
 3related:
 4    - id: 7f5d1c9a-3e83-48df-95a7-2b98aae6c13c # CLI Generic
 5      type: similar
 6    - id: 2a4b3e61-9d22-4e4a-b60f-6e8f0cde6f25 # CLI Registry
 7      type: similar
 8    - id: 7021255e-5db3-4946-a8b9-0ba7a4644a69 # Registry
 9      type: similar
10status: test
11description: Detects suspicious child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution.
12references:
13    - https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/
14    - https://twitter.com/0gtweet/status/1674399582162153472
15author: Nasreddine Bencherchali (Nextron Systems)
16date: 2023/08/08
17tags:
18    - attack.defense_evasion
19    - attack.t1218
20logsource:
21    category: process_creation
22    product: windows
23detection:
24    selection_parent:
25        ParentImage|endswith: '\provlaunch.exe'
26    selection_child:
27        - Image|endswith:
28              - '\calc.exe'
29              - '\cmd.exe'
30              - '\cscript.exe'
31              - '\mshta.exe'
32              - '\notepad.exe'
33              - '\powershell.exe'
34              - '\pwsh.exe'
35              - '\regsvr32.exe'
36              - '\rundll32.exe'
37              - '\wscript.exe'
38        - Image|contains:
39              - ':\PerfLogs\'
40              - ':\Temp\'
41              - ':\Users\Public\'
42              - '\AppData\Temp\'
43              - '\Windows\System32\Tasks\'
44              - '\Windows\Tasks\'
45              - '\Windows\Temp\'
46    condition: all of selection_*
47falsepositives:
48    - Unknown
49level: high

References

Related rules

to-top