Techniques
Sample rules
Code Execution via Pcwutl.dll
- source: sigma
- technicques:
- t1218
- t1218.011
Description
Detects launch of executable by calling the LaunchApplication function from pcwutl.dll library.
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains|all:
- pcwutl
- LaunchApplication
selection_img:
- Image|endswith: \rundll32.exe
- OriginalFileName: RUNDLL32.EXE