Detectionmediumtest
Code Execution via Pcwutl.dll
Detects launch of executable by calling the LaunchApplication function from pcwutl.dll library.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Julia Fomina, oscd.communityCreated Mon Oct 05Updated Thu Feb 099386d78a-7207-4048-9c9f-a93a7c2d1c05windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic2 selectors
detection:
selection_img:
- Image|endswith: '\rundll32.exe'
- OriginalFileName: 'RUNDLL32.EXE'
selection_cli:
CommandLine|contains|all:
- 'pcwutl'
- 'LaunchApplication'
condition: all of selection_*False Positives
Use of Program Compatibility Troubleshooter Helper
MITRE ATT&CK
Tactics
Sub-techniques
Rule Metadata
Rule ID
9386d78a-7207-4048-9c9f-a93a7c2d1c05
Status
test
Level
medium
Type
Detection
Created
Mon Oct 05
Modified
Thu Feb 09
Author
Path
rules/windows/process_creation/proc_creation_win_lolbin_pcwutl.yml
Raw Tags
attack.defense-evasionattack.t1218.011