← Back to SOC feed Coverage →

Potential Provlaunch.EXE Binary Proxy Execution Abuse

sigma MEDIUM SigmaHQ
T1218
imProcessCreate
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-13T11:00:00Z · Confidence: medium

Hunt Hypothesis

Detects child processes of “provlaunch.exe” which might indicate potential abuse to proxy execution.

Detection Rule

Sigma (Original)

title: Potential Provlaunch.EXE Binary Proxy Execution Abuse
id: 7f5d1c9a-3e83-48df-95a7-2b98aae6c13c
related:
    - id: f9999590-1f94-4a34-a91e-951e47bedefd # CLI Abuse
      type: similar
    - id: 2a4b3e61-9d22-4e4a-b60f-6e8f0cde6f25 # CLI Registry
      type: similar
    - id: 7021255e-5db3-4946-a8b9-0ba7a4644a69 # Registry
      type: similar
status: test
description: Detects child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution.
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/
    - https://twitter.com/0gtweet/status/1674399582162153472
author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel
date: 2023-08-08
tags:
    - attack.stealth
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\provlaunch.exe'
    filter_main_covered_children:
        # Note: this filter is here to avoid duplicate alerting by f9999590-1f94-4a34-a91e-951e47bedefd
        - Image|endswith:
              - '\calc.exe'
              - '\cmd.exe'
              - '\cscript.exe'
              - '\mshta.exe'
              - '\notepad.exe'
              - '\powershell.exe'
              - '\pwsh.exe'
              - '\regsvr32.exe'
              - '\rundll32.exe'
              - '\wscript.exe'
        - Image|contains:
              - ':\PerfLogs\'
              - ':\Temp\'
              - ':\Users\Public\'
              - '\AppData\Temp\'
              - '\Windows\System32\Tasks\'
              - '\Windows\Tasks\'
              - '\Windows\Temp\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium

KQL (Azure Sentinel)

imProcessCreate
| where (ParentProcessName endswith "\\provlaunch.exe" or ActingProcessName endswith "\\provlaunch.exe") and (not(((TargetProcessName endswith "\\calc.exe" or TargetProcessName endswith "\\cmd.exe" or TargetProcessName endswith "\\cscript.exe" or TargetProcessName endswith "\\mshta.exe" or TargetProcessName endswith "\\notepad.exe" or TargetProcessName endswith "\\powershell.exe" or TargetProcessName endswith "\\pwsh.exe" or TargetProcessName endswith "\\regsvr32.exe" or TargetProcessName endswith "\\rundll32.exe" or TargetProcessName endswith "\\wscript.exe") or (TargetProcessName contains ":\\PerfLogs\\" or TargetProcessName contains ":\\Temp\\" or TargetProcessName contains ":\\Users\\Public\\" or TargetProcessName contains "\\AppData\\Temp\\" or TargetProcessName contains "\\Windows\\System32\\Tasks\\" or TargetProcessName contains "\\Windows\\Tasks\\" or TargetProcessName contains "\\Windows\\Temp\\"))))

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_provlaunch_potential_abuse.yml