Code Execution via Pcwutl.dll
Detects launch of executable by calling the LaunchApplication function from pcwutl.dll library.
Sigma rule (View on GitHub)
1title: Code Execution via Pcwutl.dll
2id: 9386d78a-7207-4048-9c9f-a93a7c2d1c05
3status: test
4description: Detects launch of executable by calling the LaunchApplication function from pcwutl.dll library.
5references:
6 - https://lolbas-project.github.io/lolbas/Libraries/Pcwutl/
7 - https://twitter.com/harr0ey/status/989617817849876488
8author: Julia Fomina, oscd.community
9date: 2020/10/05
10modified: 2023/02/09
11tags:
12 - attack.defense_evasion
13 - attack.t1218.011
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection_img:
19 - Image|endswith: '\rundll32.exe'
20 - OriginalFileName: 'RUNDLL32.EXE'
21 selection_cli:
22 CommandLine|contains|all:
23 - 'pcwutl'
24 - 'LaunchApplication'
25 condition: all of selection_*
26falsepositives:
27 - Use of Program Compatibility Troubleshooter Helper
28level: medium
References
-
Launch executable by calling the LaunchApplication function. rundll32.exe pcwutl.dll,LaunchApplication calc.exe Use caseLaunch an executable. Privileges requiredUser Operating systemsWindows 10, Wi...
Read More -
Related rules
- Application Bypass with RunDLL32 and DllRegisterServer Function
- Rundll32 with Suspicious Export Functionalities
- Rundll32 with Suspicious Process Lineage
- Rundll32 without Command Line
- Removal Of AMSI Provider Registry Keys