Detectionlowtest

Indirect Command Execution By Program Compatibility Wizard

Detect indirect command execution via Program Compatibility Assistant pcwrun.exe

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

A. Sungurov, oscd.communityCreated Mon Oct 12Updated Sat Nov 27b97cd4b1-30b8-4a9d-bd72-6293928d52bcwindows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection:
        ParentImage|endswith: '\pcwrun.exe'
    condition: selection

False Positives

Need to use extra processing with 'unique_count' / 'filter' to focus on outliers as opposed to commonly seen artifacts

Legit usage of scripts

References

MITRE ATT&CK

Tactics

Techniques

Rule Metadata

Rule ID

b97cd4b1-30b8-4a9d-bd72-6293928d52bc

Status

test

Level

low

Type

Detection

Created

Mon Oct 12

Modified

Sat Nov 27

Author

Path

rules/windows/process_creation/proc_creation_win_lolbin_pcwrun.yml

Raw Tags

attack.defense-evasionattack.t1218attack.execution