Use of Pcalua For Execution
Detects execition of commands and binaries from the context of The program compatibility assistant (Pcalua.exe). This can be used as a LOLBIN in order to bypass application whitelisting.
Sigma rule (View on GitHub)
1title: Use of Pcalua For Execution
2id: 0955e4e1-c281-4fb9-9ee1-5ee7b4b754d2
3related:
4 - id: fa47597e-90e9-41cd-ab72-c3b74cfb0d02
5 type: obsolete
6status: test
7description: Detects execition of commands and binaries from the context of The program compatibility assistant (Pcalua.exe). This can be used as a LOLBIN in order to bypass application whitelisting.
8references:
9 - https://lolbas-project.github.io/lolbas/Binaries/Pcalua/
10 - https://pentestlab.blog/2020/07/06/indirect-command-execution/
11author: Nasreddine Bencherchali (Nextron Systems), E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
12date: 2022-06-14
13modified: 2023-01-04
14tags:
15 - attack.execution
16 - attack.t1059
17logsource:
18 category: process_creation
19 product: windows
20detection:
21 selection:
22 Image|endswith: '\pcalua.exe'
23 CommandLine|contains: ' -a' # No space after the flag because it accepts anything as long as there a "-a"
24 condition: selection
25falsepositives:
26 - Legitimate use by a via a batch script or by an administrator.
27level: medium
References
-
Pcalua.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.
Read More -
The windows ecosystem provides multiple binaries that could be used by adversaries to execute arbitrary commands that will evade detection especially in environments that are monitoring binaries su…
Read More
Related rules
- Abusable DLL Potential Sideloading From Suspicious Location
- Add Insecure Download Source To Winget
- Add New Download Source To Winget
- Atlassian Confluence CVE-2022-26134
- Azure New CloudShell Created