Added rules to detect lolbas provlaunch.exe

rules/windows/process_creation/proc_creation_win_lolbin_provlaunch.yml

@@ -0,0 +1,27 @@
+title: Indirect command execution through provlaunch.exe
+id: 7f5d1c9a-3e83-48df-95a7-2b98aae6c13c
+related:
+    - id: f7d31a1c-3902-4a6e-bccd-9a5f85e4b3ee
+      type: similar
+status: experimental
+description: Detect suspicious execution of provlaunch.exe for indirect execution of arbitrary commands.
+references:
+    - https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/
+    - https://twitter.com/0gtweet/status/1674399582162153472
+author: Swachchhanda Shrawan Poudel
+date: 2023/08/02
+tags:
+    - attack.defense_evasion
+    - attack.t1218
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        - Image|endswith: '\provlaunch.exe'
+        - OriginalFileName: 'provlaunch'
+        - Description: 'Provisioning package runtime command launching tool'
+    condition: selection
+falsepositives:
+    - Depends on the administrators activity
+level: high

rules/windows/process_creation/proc_creation_win_registry_add_provlaunch.yml

@@ -0,0 +1,30 @@
+title: Lolbas Provlaunch.exe indirect command execution - CLI
+id: 2a4b3e61-9d22-4e4a-b60f-6e8f0cde6f25
+related:
+    - id: 7f5d1c9a-3e83-48df-95a7-2b98aae6c13c
+      type: similar
+status: experimental
+description: Detects potential "provisioning" registry value abuse for indirect command execution through Provlaunch.exe.
+references:
+    - https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/
+    - https://twitter.com/0gtweet/status/1674399582162153472
+author: Swachchhanda Shrawan Poudel
+date: 2023/08/02
+tags:
+    - attack.defense_evasion
+    - attack.t1218
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - Image|endswith: '\reg.exe'
+        - OriginalFileName: 'reg.exe'
+    selection_cli:
+        CommandLine|contains|all:
+            - ' add '
+            - 'SOFTWARE\Microsoft\Provisioning\Commands\'
+    condition: all of selection_*
+falsepositives:
+    - Unlikely
+level: high

rules/windows/registry/registry_set/registry_set_lolbin_provlaunch.yml

@@ -0,0 +1,30 @@
+title: Lolbas Provlaunch.exe indirect command execution - REG
+id: f7d31a1c-3902-4a6e-bccd-9a5f85e4b3ee
+related:
+    - id: 2a4b3e61-9d22-4e4a-b60f-6e8f0cde6f25
+      type: derived
+status: experimental
+description: Detects potential "provisioning" registry value abuse for indirect command execution through Provlaunch.exe.
+references:
+    - https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/
+    - https://twitter.com/0gtweet/status/1674399582162153472
+author: Swachchhanda Shrawan Poudel
+date: 2023/08/02
+tags:
+    - attack.defense_evasion
+    - attack.t1218
+logsource:
+    category: registry_set
+    product: windows
+    definition: 'Requirements: Sysmon config that monitors \SOFTWARE\Microsoft\Provisioning\Commands\ subkey of the HKLM hives'
+detection:
+    selection:
+        EventType: SetValue
+        TargetObject|contains: '\SOFTWARE\Microsoft\Provisioning\Commands\'
+    condition: selection
+fields:
+    - TargetObject
+    - Details
+falsepositives:
+    - Unlikely
+level: high