S1050: PcShare
Analyst context for executives and security teams
PcShare is an open-source remote access tool that ATT&CK records as modified and used in espionage-related activity, including the FunnyDream campaign. Its business significance is not the tool name alone, but the behavior bundle around it: remote access, discovery, credential and screen collection, registry interaction, process manipulation, command execution, and possible exfiltration over command-and-control channels on Windows systems.
Executive priority
Treat PcShare as a validation case for whether Windows endpoint, network, and identity monitoring can distinguish legitimate remote administration from suspicious remote access tooling. The ATT&CK relationships connect this tool to collection, discovery, persistence, stealth, command-and-control, and exfiltration techniques, so leaders should ask whether SOC and incident response teams can reconstruct what a remote access tool did after execution: what it queried, what it captured, what it changed, and what it sent outbound. This is relevant to resilience, audit evidence, and incident decision-making because weak host logging or unmanaged remote access exceptions can leave gaps in proving data exposure or containment scope.
Technical view
ATT&CK does not provide a dedicated detection section for PcShare, so detection engineering should pivot from the related techniques. On Windows, validate visibility for command shell execution, registry query and modification, rundll32 activity, COM hijacking indicators, process injection signals, suspicious file deletion, code-signature anomalies, compressed or encoded payloads, screen/video capture behavior, keylogging-like input capture, process and network configuration discovery, and outbound web-protocol C2/exfiltration patterns. Because PcShare is described as open source and modified, avoid relying only on static names or hashes; prioritize behavioral correlation across process, registry, file, and network evidence.
Likely telemetry
- Windows endpoint process creation and parent-child process relationships, including cmd.exe and rundll32.exe activity
- Registry read/write telemetry, especially changes associated with persistence, COM references, or unusual application configuration
- Endpoint detection logs for process injection, native API abuse, code-signature validation failures, and suspicious module loading
- File system events for dropped tools, compressed or encoded files, decoding/deobfuscation activity, and file deletion
- Network telemetry for unusual outbound HTTP/S or other web-protocol sessions from endpoints, especially when correlated with remote access behavior
Detection direction
- Build detections around behavior chains rather than the PcShare name: discovery followed by registry modification, proxy execution, process injection, collection, and outbound web traffic is more useful than a single artifact match.
- Tune for legitimate administrative tools and software installers that may query the registry, use rundll32, compress files, or delete temporary files; require suspicious context such as unusual parent process, uncommon path, invalid signature, or unexpected outbound communication.
- Correlate endpoint and network events so analysts can determine whether collection activity was followed by exfiltration over an existing C2 channel, as mapped by ATT&CK relationships.
- Validate coverage for Windows-specific persistence and stealth paths, including Modify Registry and COM hijacking, because these are common blind spots when registry telemetry is sampled or disabled.
- Account for modified open-source tooling: signatures may age quickly, while behaviors such as command execution, registry interaction, collection, and web-protocol communications remain more durable.
Mitigation priorities
- Inventory and govern approved remote access tools so unauthorized or modified remote access utilities stand out during triage.
- Harden Windows endpoint controls around script and command execution, suspicious rundll32 usage, registry persistence, COM hijacking paths, and untrusted or invalidly signed binaries.
- Ensure EDR, Windows logging, and network monitoring are configured to preserve enough evidence for incident reconstruction, not only alerting.
- Restrict unnecessary outbound web traffic from endpoints where feasible and monitor for unusual long-lived or low-reputation external communications.
- Use least privilege and administrative control reviews to limit the value of registry modification, process manipulation, and local data access if a workstation is compromised.
Analyst notes and limits
The supplied ATT&CK object has no official detection text and no tactics listed directly on the PcShare software object. The practical guidance above is derived from the official description, Windows platform field, external references, and ATT&CK relationships showing techniques used by this object. Relationship context includes FunnyDream and APT5 use, but this take does not infer current activity or customer exposure from that context.
Local validation is required. ATT&CK does not provide PcShare-specific indicators, detection logic, hashes, command lines, or confirmed deployment details in the supplied fields. Some related techniques have broad multi-platform descriptions, but the software object itself is scoped here to Windows. Confidence is limited by the absence of official detection guidance.
PcShare
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | PcShare has been named `wuauclt.exe` to appear as the legitimate Windows Update AutoUpdate Client.CitationBitdefender FunnyDream Campaign November 2020 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | PcShare has used HTTP for C2 communication.CitationBitdefender FunnyDream Campaign November 2020 |
| Enterprise | T1057 | Process Discovery | PcShare can obtain a list of running processes on a compromised host.CitationBitdefender FunnyDream Campaign November 2020 |
| Enterprise | T1113 | Screen Capture | PcShare can take screen shots of a compromised machine.CitationBitdefender FunnyDream Campaign November 2020 |
| Enterprise | T1016 | System Network Configuration Discovery | PcShare can obtain the proxy settings of a compromised machine using `InternetQueryOptionA` and its IP address by running `nslookup myip.opendns.comresolver1.opendns.com\r\n`.CitationBitdefender FunnyDream Campaign November 2020 |
| Enterprise | T1027.015 | Compression Sub-technique | PcShare has been compressed with LZW algorithm.CitationBitdefender FunnyDream Campaign November 2020 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | PcShare can execute `cmd` commands on a compromised host.CitationBitdefender FunnyDream Campaign November 2020 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | PcShare has been encrypted with XOR using different 32-long Base16 strings.CitationBitdefender FunnyDream Campaign November 2020 |
| Enterprise | T1546.015 | Component Object Model Hijacking Sub-technique | PcShare has created the `HKCU\\Software\\Classes\\CLSID\\{42aedc87-2188-41fd-b9a3-0c966feabec1}\\InprocServer32` Registry key for persistence.CitationBitdefender FunnyDream Campaign November 2020 |
| Enterprise | T1056.001 | Keylogging Sub-technique | PcShare has the ability to capture keystrokes.CitationBitdefender FunnyDream Campaign November 2020 |
| Enterprise | T1005 | Data from Local System | PcShare can collect files and information from a compromised host.CitationBitdefender FunnyDream Campaign November 2020 |
| Enterprise | T1218.011 | Rundll32 Sub-technique | PcShare has used `rundll32.exe` for execution.CitationBitdefender FunnyDream Campaign November 2020 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | PcShare has decrypted its strings by applying a XOR operation and a decompression using a custom implemented LZM algorithm.CitationBitdefender FunnyDream Campaign November 2020 |
| Enterprise | T1012 | Query Registry | PcShare can search the registry files of a compromised host.CitationBitdefender FunnyDream Campaign November 2020 |
| Enterprise | T1070.004 | File Deletion Sub-technique | PcShare has deleted its files and components from a compromised host.CitationBitdefender FunnyDream Campaign November 2020 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | PcShare can upload files and information from a compromised host to its C2 servers.CitationBitdefender FunnyDream Campaign November 2020 |
| Enterprise | T1036.001 | Invalid Code Signature Sub-technique | PcShare has used an invalid certificate in attempt to appear legitimate.CitationBitdefender FunnyDream Campaign November 2020 |
| Enterprise | T1112 | Modify Registry | PcShare can delete its persistence mechanisms from the registry.CitationBitdefender FunnyDream Campaign November 2020 |
| Enterprise | T1106 | Native API | PcShare has used a variety of Windows API functions.CitationBitdefender FunnyDream Campaign November 2020 |
| Enterprise | T1055 | Process Injection | The PcShare payload has been injected into the `logagent.exe` and `rdpclip.exe` processes.CitationBitdefender FunnyDream Campaign November 2020 |
| Enterprise | T1125 | Video Capture | PcShare can capture camera video as part of its collection process.CitationBitdefender FunnyDream Campaign November 2020 |
Groups, software, and campaigns
G1023: APT5
APT5 is a China-based espionage actor that has been active since at least 2007 primarily targeting the telecommunications, aerospace, and defense industries throughout the U.S., Europe, and Asia. APT5 has displayed advanced tradecraft and significant interest in compromising networking devices and their underlying software including through the use of zero-day exploits.[1][2][3][4][5][6]
C0007: FunnyDream
FunnyDream was a suspected Chinese cyber espionage campaign that targeted government and foreign organizations in Malaysia, the Philippines, Taiwan, Vietnam, and other parts of Southeast Asia. Security researchers linked the FunnyDream campaign to possible Chinese-speaking threat actors through the use of the Chinoxy backdoor and noted infrastructure overlap with the TAG-16 threat group.[1][2][3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | f611f683b40c… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Bitdefender FunnyDream Campaign November 2020
Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.
Open source URL -
[2]
GitHub PcShare 2014
LiveMirror. (2014, September 17). PcShare. Retrieved October 11, 2022.
Open source URL -
[3]
mitre-attack S1050Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.