Find sigma rule
Attack: Signed Binary Proxy Execution
Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries. Binaries used in this technique are often Microsoft-signed files, indicating that they have been either downloaded from Microsoft or are already native in the operating system.(Citation: LOLBAS Project) Binaries signed with trusted digital certificates can typically execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files or commands.
Similarly, on Linux systems adversaries may abuse trusted binaries such as split
to proxy execution of malicious commands.(Citation: split man page)(Citation: GTFO split)
MITRE
Tactic
- defense-evasion
technique
- T1218
Test : Provlaunch.exe Executes Arbitrary Command via Registry Key
OS
- windows
Description:
Provlaunch.exe executes a command defined in the Registry. This test will create the necessary registry keys and values, then run provlaunch.exe to execute an arbitrary command.
- https://twitter.com/0gtweet/status/1674399582162153472
- https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/ Registry keys are deleted after successful execution.
Executor
command_prompt
Sigma Rule
-
proc_creation_win_registry_provlaunch_provisioning_command.yml (id: 2a4b3e61-9d22-4e4a-b60f-6e8f0cde6f25)
-
proc_creation_win_provlaunch_susp_child_process.yml (id: f9999590-1f94-4a34-a91e-951e47bedefd)