Suspicious Calc Child Process
Detects the suspicious child process of calc
Sigma rule (View on GitHub)
1title: Suspicious Calc Child Process
2id: 76c86421-c373-4cac-9510-66455bc5fcd5
3status: experimental
4description: Detects the suspicious child process of calc
5references:
6 - https://www.trellix.com/en-us/about/newsroom/stories/research/demystifying-qbot-malware.html
7author: Adithya Chandra and Sushant Kumar Arya, Trellix
8date: 2022/04/08
9tags:
10 - attack.defense_evasion
11 - attack.t1218
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection:
17 ParentImage|endswith: '\calc.exe'
18 Image|endswith:
19 - '\regsvr32.exe'
20 - '\rundll32.exe'
21 condition: selection
22falsepositives:
23 - Unknown
24level: high
References
-
The Trellix SecOps Team has observed an uptick in the Qbot malware infections in recent months. This blog will highlight TTPs of Qbot malware, detection capabilities in Trellix products and some detection strategies.
Read More
Related rules
- Suspicious Process Injection to Explorer
- Uncommon Child Process Of BgInfo.EXE
- Execution DLL of Choice Using WAB.EXE
- Potential Provisioning Registry Key Abuse For Binary Proxy Execution - REG
- WSL Child Process Anomaly