From 50c481795b3c6081209a4b5cd89ee26646828576 Mon Sep 17 00:00:00 2001
From: frack113 <62423083+frack113@users.noreply.github.com>
Date: Sun, 3 Sep 2023 15:06:34 +0200
Subject: [PATCH] Add SigmaHQ ref

Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com>
---
 yml/OSBinaries/Provlaunch.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/yml/OSBinaries/Provlaunch.yml b/yml/OSBinaries/Provlaunch.yml
index 825fe2b..0d29e27 100644
--- a/yml/OSBinaries/Provlaunch.yml
+++ b/yml/OSBinaries/Provlaunch.yml
@@ -14,6 +14,10 @@ Commands:
 Full_Path:
   - Path: c:\windows\system32\provlaunch.exe
 Detection:
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/9cb124f841c4358ca859e8474d6e7bb5268284a2/rules/windows/process_creation/proc_creation_win_provlaunch_potential_abuse.yml
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/9cb124f841c4358ca859e8474d6e7bb5268284a2/rules/windows/process_creation/proc_creation_win_provlaunch_susp_child_process.yml
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/9cb124f841c4358ca859e8474d6e7bb5268284a2/rules/windows/process_creation/proc_creation_win_registry_provlaunch_provisioning_command.yml
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/9cb124f841c4358ca859e8474d6e7bb5268284a2/rules/windows/registry/registry_set/registry_set_provisioning_command_abuse.yml
   - IOC: c:\windows\system32\provlaunch.exe executions
   - IOC: Creation/existence of HKLM\SOFTWARE\Microsoft\Provisioning\Commands subkeys
 Resources: