Techniques
Sample rules
Use of Pcalua For Execution
- source: sigma
- technicques:
- t1059
Description
Detects execition of commands and binaries from the context of The program compatibility assistant (Pcalua.exe). This can be used as a LOLBIN in order to bypass application whitelisting.
Detection logic
condition: selection
selection:
CommandLine|contains: ' -a'
Image|endswith: \pcalua.exe