Indirect Command Execution By Program Compatibility Wizard
Detect indirect command execution via Program Compatibility Assistant pcwrun.exe
Sigma rule (View on GitHub)
1title: Indirect Command Execution By Program Compatibility Wizard
2id: b97cd4b1-30b8-4a9d-bd72-6293928d52bc
3status: test
4description: Detect indirect command execution via Program Compatibility Assistant pcwrun.exe
5references:
6 - https://twitter.com/pabraeken/status/991335019833708544
7 - https://lolbas-project.github.io/lolbas/Binaries/Pcwrun/
8author: A. Sungurov , oscd.community
9date: 2020-10-12
10modified: 2021-11-27
11tags:
12 - attack.defense-evasion
13 - attack.t1218
14 - attack.execution
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection:
20 ParentImage|endswith: '\pcwrun.exe'
21 condition: selection
22fields:
23 - ComputerName
24 - User
25 - ParentCommandLine
26 - CommandLine
27falsepositives:
28 - Need to use extra processing with 'unique_count' / 'filter' to focus on outliers as opposed to commonly seen artifacts
29 - Legit usage of scripts
30level: low
References
-
Pcwrun.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.
Read More
Related rules
- Arbitrary File Download Via MSOHTMED.EXE
- Arbitrary File Download Via MSPUB.EXE
- Arbitrary File Download Via PresentationHost.EXE
- Arbitrary MSI Download Via Devinit.EXE
- Created Files by Microsoft Sync Center