Code Execution via Pcwutl.dll

 1title: Code Execution via Pcwutl.dll
 2id: 9386d78a-7207-4048-9c9f-a93a7c2d1c05
 3status: test
 4description: Detects launch of executable by calling the LaunchApplication function from pcwutl.dll library.
 5references:
 6    - https://lolbas-project.github.io/lolbas/Libraries/Pcwutl/
 7    - https://twitter.com/harr0ey/status/989617817849876488
 8author: Julia Fomina, oscd.community
 9date: 2020-10-05
10modified: 2023-02-09
11tags:
12    - attack.defense-evasion
13    - attack.t1218.011
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection_img:
19        - Image|endswith: '\rundll32.exe'
20        - OriginalFileName: 'RUNDLL32.EXE'
21    selection_cli:
22        CommandLine|contains|all:
23            - 'pcwutl'
24            - 'LaunchApplication'
25    condition: all of selection_*
26falsepositives:
27    - Use of Program Compatibility Troubleshooter Helper
28level: medium

References

• Pcwutl on LOLBAS

  

  Pcwutl.dll is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.

  
  Read More

• x.com

  
  Read More

Related rules

• APT29 2018 Phishing Campaign CommandLine Indicators
• APT29 2018 Phishing Campaign File Indicators
• CobaltStrike Load by Rundll32
• Equation Group DLL_U Export Function Load
• EvilNum APT Golden Chickens Deployment Via OCX Files