
Summary
This rule is designed to detect the exploitation of the Follina vulnerability (CVE-2022-30190) through indirect command execution via the Program Compatibility Assistant's executable, pcwrun.exe. The tactic employed in this attack is often associated with defense evasion techniques, as the Follina exploit utilizes the legitimate pcwrun.exe process in a potentially malicious manner. The detection is based on monitoring process creation events where the image name ends with 'pcwrun.exe' and the command line arguments include '../', which is indicative of attempts to execute a command outside of the expected directory structure, a common strategy in evading security mechanisms. The rule is categorized with a high severity level due to the potential impact of this vulnerability being actively exploited in various attack vectors.
Categories
- Windows
- Endpoint
Data Sources
- Process
Created: 2022-06-13