Execute Pcwrun.EXE To Leverage Follina

calendar Oct 17, 2023 · attack.defense_evasion attack.t1218 attack.execution  ·
Share on: linkedin copy

Detects indirect command execution via Program Compatibility Assistant "pcwrun.exe" leveraging the follina (CVE-2022-30190) vulnerability

Sigma rule (View on GitHub)

 1title: Execute Pcwrun.EXE To Leverage Follina
 2id: 6004abd0-afa4-4557-ba90-49d172e0a299
 3status: test
 4description: Detects indirect command execution via Program Compatibility Assistant "pcwrun.exe" leveraging the follina (CVE-2022-30190) vulnerability
 5references:
 6    - https://twitter.com/nas_bench/status/1535663791362519040
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2022/06/13
 9tags:
10    - attack.defense_evasion
11    - attack.t1218
12    - attack.execution
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection:
18        Image|endswith: '\pcwrun.exe'
19        CommandLine|contains: '../'
20    condition: selection
21falsepositives:
22    - Unlikely
23level: high

References

  • Something went wrong, but don’t fret — let’s give it another shot.


    Read More

Related rules

to-top