Suspicious Child Process Of Program Compatibility Troubleshooter Invoker (Pcwrun.EXE)

Rule Info

Name
Suspicious Child Process Of Program Compatibility Troubleshooter Invoker (Pcwrun.EXE)
Author
Nasreddine Bencherchali (Nextron Systems)
Description
Detects the execution of a suspicious "msdt.exe" child process from the "pcwrun.exe" utility. When a certain number of argument is met the "pcwrun.exe" main function will call the "LaunchPcw" function. This function is responsible for launching the "msdt.exe" utility. Unfortunately the path to the "msdt.exe" binary is resolved dynamically by expanding the environement variable "%windir%". An attacker can manipulate this variable via the "set" command for example, and set it's value to a custom path instead of the default "C:\Windows". Which would allow him to execute any arbitrary binary named "msdt.exe"
Reference
Internal Research
Date
2024-06-06 00:00:00
Modified
None
Id
454b2f80-d84d-49a1-91ab-366be60a449f
Tags
attack.defense_evasion attack.t1218 attack.execution
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022