From c3bb062fa6fb7f66ec55d76d9689d053f47aafde Mon Sep 17 00:00:00 2001
From: Swachchhanda Poudel <swachchhandashrawan@gmail.com>
Date: Wed, 2 Aug 2023 15:16:16 +0545
Subject: [PATCH] Added rules to detect lolbas provlaunch.exe

---
 .../proc_creation_win_lolbin_provlaunch.yml   | 27 +++++++++++++++++
 ...c_creation_win_registry_add_provlaunch.yml | 30 +++++++++++++++++++
 .../registry_set_lolbin_provlaunch.yml        | 30 +++++++++++++++++++
 3 files changed, 87 insertions(+)
 create mode 100644 rules/windows/process_creation/proc_creation_win_lolbin_provlaunch.yml
 create mode 100644 rules/windows/process_creation/proc_creation_win_registry_add_provlaunch.yml
 create mode 100644 rules/windows/registry/registry_set/registry_set_lolbin_provlaunch.yml

diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_provlaunch.yml b/rules/windows/process_creation/proc_creation_win_lolbin_provlaunch.yml
new file mode 100644
index 000000000..4ffa7f9ce
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_lolbin_provlaunch.yml
@@ -0,0 +1,27 @@
+title: Indirect command execution through provlaunch.exe
+id: 7f5d1c9a-3e83-48df-95a7-2b98aae6c13c
+related:
+    - id: f7d31a1c-3902-4a6e-bccd-9a5f85e4b3ee
+      type: similar
+status: experimental
+description: Detect suspicious execution of provlaunch.exe for indirect execution of arbitrary commands.
+references:
+    - https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/
+    - https://twitter.com/0gtweet/status/1674399582162153472
+author: Swachchhanda Shrawan Poudel
+date: 2023/08/02
+tags:
+    - attack.defense_evasion
+    - attack.t1218
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        - Image|endswith: '\provlaunch.exe'
+        - OriginalFileName: 'provlaunch'
+        - Description: 'Provisioning package runtime command launching tool'
+    condition: selection
+falsepositives:
+    - Depends on the administrators activity
+level: high
\ No newline at end of file
diff --git a/rules/windows/process_creation/proc_creation_win_registry_add_provlaunch.yml b/rules/windows/process_creation/proc_creation_win_registry_add_provlaunch.yml
new file mode 100644
index 000000000..11617cfb0
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_registry_add_provlaunch.yml
@@ -0,0 +1,30 @@
+title: Lolbas Provlaunch.exe indirect command execution - CLI
+id: 2a4b3e61-9d22-4e4a-b60f-6e8f0cde6f25
+related:
+    - id: 7f5d1c9a-3e83-48df-95a7-2b98aae6c13c
+      type: similar
+status: experimental
+description: Detects potential "provisioning" registry value abuse for indirect command execution through Provlaunch.exe.
+references:
+    - https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/
+    - https://twitter.com/0gtweet/status/1674399582162153472
+author: Swachchhanda Shrawan Poudel
+date: 2023/08/02
+tags:
+    - attack.defense_evasion
+    - attack.t1218
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - Image|endswith: '\reg.exe'
+        - OriginalFileName: 'reg.exe'
+    selection_cli:
+        CommandLine|contains|all:
+            - ' add '
+            - 'SOFTWARE\Microsoft\Provisioning\Commands\'
+    condition: all of selection_*
+falsepositives:
+    - Unlikely
+level: high
\ No newline at end of file
diff --git a/rules/windows/registry/registry_set/registry_set_lolbin_provlaunch.yml b/rules/windows/registry/registry_set/registry_set_lolbin_provlaunch.yml
new file mode 100644
index 000000000..998c23c4a
--- /dev/null
+++ b/rules/windows/registry/registry_set/registry_set_lolbin_provlaunch.yml
@@ -0,0 +1,30 @@
+title: Lolbas Provlaunch.exe indirect command execution - REG
+id: f7d31a1c-3902-4a6e-bccd-9a5f85e4b3ee
+related:
+    - id: 2a4b3e61-9d22-4e4a-b60f-6e8f0cde6f25
+      type: derived
+status: experimental
+description: Detects potential "provisioning" registry value abuse for indirect command execution through Provlaunch.exe.
+references:
+    - https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/
+    - https://twitter.com/0gtweet/status/1674399582162153472
+author: Swachchhanda Shrawan Poudel
+date: 2023/08/02
+tags:
+    - attack.defense_evasion
+    - attack.t1218
+logsource:
+    category: registry_set
+    product: windows
+    definition: 'Requirements: Sysmon config that monitors \SOFTWARE\Microsoft\Provisioning\Commands\ subkey of the HKLM hives'
+detection:
+    selection:
+        EventType: SetValue
+        TargetObject|contains: '\SOFTWARE\Microsoft\Provisioning\Commands\'
+    condition: selection
+fields:
+    - TargetObject
+    - Details
+falsepositives:
+    - Unlikely
+level: high