eq_0002 — 2 rules with the same canonical form

Vendors: sigma (2). Stage count: 2. Correlation shape: alternatives_cross_log.

Members

Sigma Potential Provlaunch.EXE Binary Proxy Execution Abuse events 4688, 1
Sigma Suspicious Provlaunch.EXE Child Process events 4688, 1

MITRE ATT&CK coverage

Tactic	Techniques
Defense Evasion	`T1218` System Binary Proxy Execution

Stages and predicates (per member)

Each member's stage rendered in its own native syntax (verbatim source where the IR captures it; falls back to the synthesised native form for the few stage types whose source segments aren't recoverable).

Potential Provlaunch.EXE Binary Proxy Execution Abuse — stage 1 `selection`

ParentImage|endswith: '\provlaunch.exe'

Potential Provlaunch.EXE Binary Proxy Execution Abuse — stage 2 `not 1 of filter_main_covered_children`

or:
Image|endswith: '\calc.exe'
Image|endswith: '\cmd.exe'
Image|endswith: '\cscript.exe'
Image|endswith: '\mshta.exe'
Image|endswith: '\notepad.exe'
Image|endswith: '\powershell.exe'
Image|endswith: '\pwsh.exe'
Image|endswith: '\regsvr32.exe'
Image|endswith: '\rundll32.exe'
Image|endswith: '\wscript.exe'
Image|contains: ':\PerfLogs\'
Image|contains: ':\Temp\'
Image|contains: ':\Users\Public\'
Image|contains: '\AppData\Temp\'
Image|contains: '\Windows\System32\Tasks\'
Image|contains: '\Windows\Tasks\'
Image|contains: '\Windows\Temp\'

Suspicious Provlaunch.EXE Child Process — stage 3 `all of selection_parent`

ParentImage|endswith: '\provlaunch.exe'

Suspicious Provlaunch.EXE Child Process — stage 4 `all of selection_child`

or:
Image|endswith: '\calc.exe'
Image|endswith: '\cmd.exe'
Image|endswith: '\cscript.exe'
Image|endswith: '\mshta.exe'
Image|endswith: '\notepad.exe'
Image|endswith: '\powershell.exe'
Image|endswith: '\pwsh.exe'
Image|endswith: '\regsvr32.exe'
Image|endswith: '\rundll32.exe'
Image|endswith: '\wscript.exe'
Image|contains: ':\PerfLogs\'
Image|contains: ':\Temp\'
Image|contains: ':\Users\Public\'
Image|contains: '\AppData\Temp\'
Image|contains: '\Windows\System32\Tasks\'
Image|contains: '\Windows\Tasks\'
Image|contains: '\Windows\Temp\'

Indicators (across all members)

Field	Kind	Value	Members	Corpus
`Image`	ends_with	`\calc.exe`	2	13
`Image`	ends_with	`\cmd.exe`	2	92
`Image`	ends_with	`\cscript.exe`	2	64
`Image`	ends_with	`\mshta.exe`	2	57
`Image`	ends_with	`\notepad.exe`	2	11
`Image`	ends_with	`\powershell.exe`	2	143
`Image`	ends_with	`\pwsh.exe`	2	140
`Image`	ends_with	`\regsvr32.exe`	2	57
`Image`	ends_with	`\rundll32.exe`	2	76
`Image`	ends_with	`\wscript.exe`	2	64
`Image`	match	`:\PerfLogs\`	2	4
`Image`	match	`:\Temp\`	2	12
`Image`	match	`:\Users\Public\`	2	14
`Image`	match	`\AppData\Temp\`	2	3
`Image`	match	`\Windows\System32\Tasks\`	2	4
`Image`	match	`\Windows\Tasks\`	2	4
`Image`	match	`\Windows\Temp\`	2	7
`ParentImage`	ends_with	`\provlaunch.exe`	2	2

eq_0002 — 2 rules with the same canonical form

Members

MITRE ATT&CK coverage

Stages and predicates (per member)

Potential Provlaunch.EXE Binary Proxy Execution Abuse — stage 1 selection

Potential Provlaunch.EXE Binary Proxy Execution Abuse — stage 2 not 1 of filter_main_covered_children

Suspicious Provlaunch.EXE Child Process — stage 3 all of selection_parent

Suspicious Provlaunch.EXE Child Process — stage 4 all of selection_child

Indicators (across all members)

Potential Provlaunch.EXE Binary Proxy Execution Abuse — stage 1 `selection`

Potential Provlaunch.EXE Binary Proxy Execution Abuse — stage 2 `not 1 of filter_main_covered_children`

Suspicious Provlaunch.EXE Child Process — stage 3 `all of selection_parent`

Suspicious Provlaunch.EXE Child Process — stage 4 `all of selection_child`