Indirect Command Execution By Program Compatibility Wizard

 1title: Indirect Command Execution By Program Compatibility Wizard
 2id: b97cd4b1-30b8-4a9d-bd72-6293928d52bc
 3status: test
 4description: Detect indirect command execution via Program Compatibility Assistant pcwrun.exe
 5references:
 6    - https://twitter.com/pabraeken/status/991335019833708544
 7    - https://lolbas-project.github.io/lolbas/Binaries/Pcwrun/
 8author: A. Sungurov , oscd.community
 9date: 2020/10/12
10modified: 2021/11/27
11tags:
12    - attack.defense_evasion
13    - attack.t1218
14    - attack.execution
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection:
20        ParentImage|endswith: '\pcwrun.exe'
21    condition: selection
22fields:
23    - ComputerName
24    - User
25    - ParentCommandLine
26    - CommandLine
27falsepositives:
28    - Need to use extra processing with 'unique_count' / 'filter' to focus on outliers as opposed to commonly seen artifacts
29    - Legit usage of scripts
30level: low

References

• Something went wrong, but don’t fret — let’s give it another shot.

  
  Read More

• Pcwrun | LOLBAS

  Leverage the MSDT follina vulnerability through Pcwrun to execute arbitrary commands and binaries. Note that this specific technique will not work on a patched system with the June 2022 Windows Sec...

  
  Read More

Related rules

• CMSTP Execution Process Creation
• DLL Execution via Rasautou.exe
• Malicious PE Execution by Microsoft Visual Studio Debugger
• Verclsid.exe Runs COM Object
• CMSTP Execution Registry Event