Execute Pcwrun.EXE To Leverage Follina
Detects indirect command execution via Program Compatibility Assistant "pcwrun.exe" leveraging the follina (CVE-2022-30190) vulnerability
Sigma rule (View on GitHub)
1title: Execute Pcwrun.EXE To Leverage Follina
2id: 6004abd0-afa4-4557-ba90-49d172e0a299
3status: test
4description: Detects indirect command execution via Program Compatibility Assistant "pcwrun.exe" leveraging the follina (CVE-2022-30190) vulnerability
5references:
6 - https://twitter.com/nas_bench/status/1535663791362519040
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022-06-13
9tags:
10 - attack.defense-evasion
11 - attack.t1218
12 - attack.execution
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 Image|endswith: '\pcwrun.exe'
19 CommandLine|contains: '../'
20 condition: selection
21falsepositives:
22 - Unlikely
23level: high
References
-
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More
Related rules
- Arbitrary File Download Via MSOHTMED.EXE
- Arbitrary File Download Via MSPUB.EXE
- Arbitrary File Download Via PresentationHost.EXE
- Arbitrary MSI Download Via Devinit.EXE
- Execute MSDT Via Answer File