IOC: Creation/existence of HKLM\SOFTWARE\Microsoft\Provisioning\Commands subkeys
Execute
Executes command defined in the Registry. Requires 3 levels of the key structure containing some keywords. Such keys may be created with two reg.exe commands, e.g. "reg.exe add HKLM\SOFTWARE\Microsoft\Provisioning\Commands\LOLBin\dummy1 /v altitude /t REG_DWORD /d 0" and "reg add HKLM\SOFTWARE\Microsoft\Provisioning\Commands\LOLBin\dummy1\dummy2 /v Commandline /d calc.exe". Registry keys are deleted after successful execution.
provlaunch.exe LOLBin
Usecase: Executes arbitrary command
Privileges required: Administrator
OS: Windows 10, Windows 11, Windows Server 2012, Windows Server 2016, Windows Server 2019, Windows Server 2022
MITRE ATT&CK®: T1218