Use of Pcalua For Execution
Detects execition of commands and binaries from the context of The program compatibility assistant (Pcalua.exe). This can be used as a LOLBIN in order to bypass application whitelisting.
Sigma rule (View on GitHub)
1title: Use of Pcalua For Execution
2id: 0955e4e1-c281-4fb9-9ee1-5ee7b4b754d2
3related:
4 - id: fa47597e-90e9-41cd-ab72-c3b74cfb0d02
5 type: obsoletes
6status: test
7description: Detects execition of commands and binaries from the context of The program compatibility assistant (Pcalua.exe). This can be used as a LOLBIN in order to bypass application whitelisting.
8references:
9 - https://lolbas-project.github.io/lolbas/Binaries/Pcalua/
10 - https://pentestlab.blog/2020/07/06/indirect-command-execution/
11author: Nasreddine Bencherchali (Nextron Systems), E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
12date: 2022/06/14
13modified: 2023/01/04
14tags:
15 - attack.execution
16 - attack.t1059
17logsource:
18 category: process_creation
19 product: windows
20detection:
21 selection:
22 Image|endswith: '\pcalua.exe'
23 CommandLine|contains: ' -a' # No space after the flag because it accepts anything as long as there a "-a"
24 condition: selection
25falsepositives:
26 - Legitimate use by a via a batch script or by an administrator.
27level: medium
References
Related rules
- Perl Inline Command Execution
- Php Inline Command Execution
- Ruby Inline Command Execution
- Suspicious Execution via macOS Script Editor
- DarkGate - Autoit3.EXE Execution Parameters