- Home
- Correlation Rule Library
- Pcalua Script Execution
Pcalua Script Execution
Rule added on 30th May, 2024In this page
Rule type:
Correlation
Rule description:
Program Compatibility Assistant LUA (PCALUA) is a Windows Program Compatibility Assistant which detects compatibility issues during the execution of an older program.
On the detection of compatibility issues, Pcalua.exe may prompt the user to run a script to rectify it.
However, attackers may attempt to use it for their malicious reasons, such as executing malicious scripts locally or from remote shares and installing malware onto the target systems.
Attack chain scenario: Phishing attack -> Pcalua-based script execution -> Malicious software installation
Impact:
It can be used by adversaries in the following ways:
- Bypass detection systems
- Installation of malware, malicious software, and ransomware.
- Execution of malicious scripts
Data source:
Windows > Process Creation
Required configuration: The rule is based on the process creation and termination. Prerequisites required are installing and configuring Sysmon, enabling audit process creation audit policy, and the command line auditing.
Relevant MITRE ATT&CK techniques and tactics:
Tactic: TA0005- Defense Evasion
Technique: T1202- Indirect Command Execution
Criteria:
( ( Process Name = "*pcalua.exe" ) AND ( Command Line contains "-a" ) )
pcalua.exe- Use of Pcalua.exe in command line may suggest that attackers are attempting to execute malicious scripts and payloads on the the target systems.
When to enable this rule:
Security standards (NIST CSF 2.0):
Enabling this rule will help you meet the security standards' requirements listed below:
PR.PS-06: Secure software development practices are integrated, and their performance is monitored throughout the software development life cycle.
When this rule is triggered, you're notified of the execution of scripts or commands by Pcalua.exe. This enables you to review the access and permissions, take corrective measures, such as regularly monitor the use of tools for any unauthorized access.
Known false positives: False positives may occur if legitimate Pcaula.exe scripts are run to resolve compatibility issues.
Next steps:
When this alert is triggered, the following measures can be implemented:
- Identification: Identify if the alert is a new incident or part of an existing incident.
- Analysis: Analyze the impact and extent of the compromise to comprehend the severity of the attack.
- Response: Respond promptly by initiating an automated workflow to cease the malicious process.
- Implement access controls: Deploy strong access controls and permissions to ensure users have access to only authorized resources.
