Execute Pcwrun.EXE To Leverage Follina

About the rule

Rule Type

Standard

Rule Description

This detection identifies the execution of Pcwrun.exe, a legitimate Windows binary that can be abused to launch msdt.exe—a key component in the exploitation of the Follina vulnerability (CVE-2022-30190). Follina allows remote code execution via specially crafted Office documents, where the attacker uses a remote HTML reference to call msdt.exe with malicious parameters. Pcwrun.exe is sometimes used as an alternative to directly launching msdt.exe, helping attackers evade simple behavioral or IOC-based detections. The use of Pcwrun.exe in this context is suspicious and may indicate an attempt to exploit the Follina vulnerability.

Severity

Trouble

Rule journey

Attack chain scenario

Initial Access → Execution → Defense Evasion → Command and Control

Impact

• Remote code execution
• Malware deployment through malicious Microsoft Office documents
• Bypass of macro-based security controls

Rule Requirement

Prerequisites

Using Windows event viewer:
To enable detailed process tracking in a domain environment, log in to a domain controller using domain admin credentials and open the Group Policy Management Console (GPMC). Create or edit a GPO linked to the target OU and navigate to the Advanced Audit Policy Configuration section to enable success auditing for both process creation and termination. To capture command-line details, enable the Include command line in process creation events setting under Audit Process Creation. Additionally, create the Microsoft-Windows-Security-Auditing/Operational registry key in the specified EventLog path to support enhanced auditing.

Using Sysmon:
To enable detailed process monitoring using Sysmon, first download and install it from Microsoft Sysinternals. Run Command Prompt as an administrator and install Sysmon with a configuration file that includes process creation tracking using sysmon.exe -i [configfile.xml]. Ensure your configuration includes a <ProcessCreate> filter to capture all process creation events. Additionally, create the Microsoft-Windows-Sysmon/Operational registry key under the EventLog path if it doesn’t already exist.

Criteria

Detection

Execution Mode

realtime

Log Sources

Windows

MITRE ATT&CK

Defense Evasion: System Binary Proxy Execution (T1218)

Security Standards

Enabling this rule will help you meet the security standard's requirement listed below:

ID.RA-01: Vulnerabilities in assets are identified, validated, and recorded
DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events

When this rule is triggered, it notifies you of the execution of pcwrun.exe, a known component exploited during the Follina (CVE-2022-30190) attack chain.

Author

Nasreddine Bencherchali (Nextron Systems)

Future actions

Known False Positives

Legitimate use of pcwrun.exe is rare in day-to-day operations, but in some environments, it may be triggered during legitimate diagnostic or support tool usage by IT teams or through certain automated scripts.

Next Steps

When this rule is triggered, the following measures can be implemented:

• Identification: Review the event to identify the binary being executed via OpenWith.exe. Confirm whether the behavior aligns with standard user activity or software behavior, or if it was initiated by a suspicious process or user.
• Analysis: Investigate the parent process and command-line arguments associated with the execution. Use EDR or SIEM tools to trace the activity timeline.
• Response: Isolate the host, terminate suspicious processes, and perform a full malware scan.
• Application Control: Implement application whitelisting to restrict the execution of unapproved binaries, especially through legitimate Windows utilities like OpenWith.exe.

Mitigation