title: Indirect Command Execution By Program Compatibility Wizard
id: b97cd4b1-30b8-4a9d-bd72-6293928d52bc
description: Detect indirect command execution via Program Compatibility Assistant pcwrun.exe
status: experimental
author: A. Sungurov , oscd.community
references:
    - https://twitter.com/pabraeken/status/991335019833708544
    - https://lolbas-project.github.io/lolbas/Binaries/Pcwrun/
date: 2020/10/12
tags:
    - attack.defense_evasion
    - attack.t1218
    - attack.execution
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\pcwrun.exe'
    condition: selection
fields:
    - ComputerName
    - User
    - ParentCommandLine
    - CommandLine
falsepositives:
    - Need to use extra processing with 'unique_count' / 'filter' to focus on outliers as opposed to commonly seen artifacts
    - Legit usage of scripts
level: low