← Back to Explore
sigmamediumHunting
Code Execution via Pcwutl.dll
Detects launch of executable by calling the LaunchApplication function from pcwutl.dll library.
Detection Query
selection_img:
- Image|endswith: \rundll32.exe
- OriginalFileName: RUNDLL32.EXE
selection_cli:
CommandLine|contains|all:
- pcwutl
- LaunchApplication
condition: all of selection_*
Author
Julia Fomina, oscd.community
Created
2020-10-05
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.defense-evasionattack.t1218.011
Raw Content
title: Code Execution via Pcwutl.dll
id: 9386d78a-7207-4048-9c9f-a93a7c2d1c05
status: test
description: Detects launch of executable by calling the LaunchApplication function from pcwutl.dll library.
references:
- https://lolbas-project.github.io/lolbas/Libraries/Pcwutl/
- https://twitter.com/harr0ey/status/989617817849876488
author: Julia Fomina, oscd.community
date: 2020-10-05
modified: 2023-02-09
tags:
- attack.defense-evasion
- attack.t1218.011
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\rundll32.exe'
- OriginalFileName: 'RUNDLL32.EXE'
selection_cli:
CommandLine|contains|all:
- 'pcwutl'
- 'LaunchApplication'
condition: all of selection_*
falsepositives:
- Use of Program Compatibility Troubleshooter Helper
level: medium