Suspicious Provlaunch.EXE Child Process

About the rule

Rule Type

Standard

Rule Description

Detects suspicious child processes spawned by "provlaunch.exe," which may indicate potential exploitation for proxy execution abuse. The rule monitors launching of processes such as calc.exe, cmd.exe, cscript.exe, mshta.exe, notepad.exe, powershell.exe, pwsh.exe, regsvr32.exe, rundll32.exe, and wscript.exe or execution from common temporary or scheduled task directories.

Severity

Trouble

Rule journey

Attack chain scenario

Defense Evasion: System Binary Proxy Execution (T1218)

Impact

Attackers may abuse trusted binaries like provlaunch.exe to proxy execution of malicious code, allowing stealthy execution and evasion of security controls.

Rule Requirement

Prerequisites

Using Windows Event Viewer

1. Log in to a domain controller with domain admin credentials.
2. Open the Group Policy Management Console by typing gpmc.msc in the Run dialog.
3. Create a new GPO or edit an existing one linked to the appropriate OU.
4. Navigate to:
   Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Audit Policies → Detailed Tracking
5. Right-click on Audit Process Creation, select Properties, then:
   • Check Configure the following audit events
   • Select Success
6. Right-click on Audit Process Termination, select Properties, then:
   • Check Configure the following audit events
   • Select Success
7. To include command-line details in logs:
   • Go to Computer Configuration → Administrative Templates → System → Audit Process Creation
   • Open Include command line in process creation events
   • Select Enabled
8. Create the registry key:
   Microsoft-Windows-Security-Auditing/Operational
   Under the path:
   Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\

Using Sysmon

1. Download and install Sysmon from Microsoft Sysinternals.
2. Open Command Prompt with administrator privileges.
3. Create or download a Sysmon configuration file that includes process creation monitoring.
4. Install Sysmon using:
   sysmon.exe -i [configfile.xml]
5. In your config file, ensure the following section is included to monitor all process creation events:

<Sysmon>
<EventFiltering>
<ProcessCreate onmatch="exclude"/>
<!-- This captures all process creations -->
</EventFiltering>
</Sysmon>

1. Create the registry key:
   Microsoft-Windows-Sysmon/Operational
   Under the path:
   Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\

Criteria

Detection

Execution Mode

realtime

Log Sources

Windows

MITRE ATT&CK

T1218: System Binary Proxy Execution

Security Standards

• Disable or remove unnecessary native binaries that could be exploited.
• Employ application control to block execution of vulnerable or unnecessary binaries.
• Utilize exploit protection tools like EMET or Attack Surface Reduction rules to prevent proxy execution.
• Implement network filtering to detect and block suspicious traffic and protocol abuses.
• Restrict execution of sensitive binaries to privileged accounts.
• Apply web content restrictions to limit exposure to malicious content.

Author

Nasreddine Bencherchali (Nextron Systems)

Future actions

Known False Positives

None documented; further investigation may be required to rule out benign use.

Next Steps

• Investigate detected child processes of provlaunch.exe for potential suspicious behavior.
• Review necessity of provlaunch.exe usage and limit where possible.
• Enforce process creation auditing and monitoring.
• Deploy exploit protection and network filtering as preventive controls.
• Train security teams on recognizing proxy execution abuse.

Mitigation