Execute Pcwrun.EXE To Leverage Follina
Detects indirect command execution via Program Compatibility Assistant "pcwrun.exe" leveraging the follina (CVE-2022-30190) vulnerability
Sigma rule (View on GitHub)
1title: Execute Pcwrun.EXE To Leverage Follina
2id: 6004abd0-afa4-4557-ba90-49d172e0a299
3status: test
4description: Detects indirect command execution via Program Compatibility Assistant "pcwrun.exe" leveraging the follina (CVE-2022-30190) vulnerability
5references:
6 - https://twitter.com/nas_bench/status/1535663791362519040
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022/06/13
9tags:
10 - attack.defense_evasion
11 - attack.t1218
12 - attack.execution
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 Image|endswith: '\pcwrun.exe'
19 CommandLine|contains: '../'
20 condition: selection
21falsepositives:
22 - Unlikely
23level: high
References
Related rules
- Created Files by Microsoft Sync Center
- Execute MSDT Via Answer File
- Potential Binary Impersonating Sysinternals Tools
- Use Of The SFTP.EXE Binary As A LOLBIN
- Use of Scriptrunner.exe