Potential Provisioning Registry Key Abuse For Binary Proxy Execution - REG
Detects potential abuse of the provisioning registry key for indirect command execution through "Provlaunch.exe".
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Definition
Requirements: The registry key "\SOFTWARE\Microsoft\Provisioning\Commands\" and its subkey must be monitored
detection:
selection:
TargetObject|contains: '\SOFTWARE\Microsoft\Provisioning\Commands\'
condition: selectionFalse positive likelihood has not been assessed. Additional context may be needed during triage.
Tactics
Techniques
Potential Provlaunch.EXE Binary Proxy Execution Abuse
Detects child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution.
Detects similar activity. Both rules may fire on overlapping events.
Suspicious Provlaunch.EXE Child Process
Detects suspicious child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution.
Detects similar activity. Both rules may fire on overlapping events.
Potential Provisioning Registry Key Abuse For Binary Proxy Execution
Detects potential abuse of the provisioning registry key for indirect command execution through "Provlaunch.exe".
Detects similar activity. Both rules may fire on overlapping events.