Suspicious Calc DLL Load

Nov 19, 2022 · attack.persistence attack.t1574 ·

Detects Windows 7 calc.exe loading DLLs from suspicious or abnormal file paths.

Sigma rule (View on GitHub)

 1title: Suspicious Calc DLL Load
 2id: b47b9cc3-6f9a-4a58-a669-5e5e126514b1
 3status: experimental
 4description: Detects Windows 7 calc.exe loading DLLs from suspicious or abnormal file paths.
 5references:
 6    - https://www.trellix.com/en-us/about/newsroom/stories/research/demystifying-qbot-malware.html
 7author: Micah Babinski
 8date: 2022/11/19
 9tags:
10    - attack.persistence
11    - attack.t1574
12logsource:
13    category: process_creation
14    product: windows
15detection:
16    selection:
17        Image|endswith: '\calc.exe'
18    filter:
19        ImageLoaded|startswith:
20            - 'C:\Windows\System32'
21            - 'C:\Windows\SysWOW64'
22    condition: selection and not filter
23falsepositives:
24    - Unknown
25level: high

References

Related rules

Chrome Spawned by Powershell with Load-Extension in Command Line
Command Shell Unusual or Suspicious Process Ancestry
Windows Scheduled Task Behaving Improperly or Suspiciously
Windows Scheduled Task Create Shell
Windows Scheduled Task Making Suspicious Network Connection