public-mirrors/LOLBAS
1
0
Fork 0
mirror of https://github.com/LOLBAS-Project/LOLBAS synced 2024-12-27 07:18:05 +01:00
Code Issues Projects Releases Wiki Activity

Merge pull request #324 from frack113/provlaunch

Browse Source 
Add SigmaHQ Detection
This commit is contained in:
Jose Enrique Hernandez 2023-09-03 13:37:49 -04:00 committed by GitHub
commit dadd9db018
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
yml/OSBinaries/Provlaunch.yml
View File

@ -14,6 +14,10 @@ Commands:
Full_Path:
- Path: c:\windows\system32\provlaunch.exe
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/9cb124f841c4358ca859e8474d6e7bb5268284a2/rules/windows/process_creation/proc_creation_win_provlaunch_potential_abuse.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/9cb124f841c4358ca859e8474d6e7bb5268284a2/rules/windows/process_creation/proc_creation_win_provlaunch_susp_child_process.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/9cb124f841c4358ca859e8474d6e7bb5268284a2/rules/windows/process_creation/proc_creation_win_registry_provlaunch_provisioning_command.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/9cb124f841c4358ca859e8474d6e7bb5268284a2/rules/windows/registry/registry_set/registry_set_provisioning_command_abuse.yml
- IOC: c:\windows\system32\provlaunch.exe executions
- IOC: Creation/existence of HKLM\SOFTWARE\Microsoft\Provisioning\Commands subkeys
Resources: