Suspicious Calculator Usage
Detects suspicious use of 'calc.exe' with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion.
Sigma rule (View on GitHub)
1title: Suspicious Calculator Usage
2id: 737e618a-a410-49b5-bec3-9e55ff7fbc15
3status: test
4description: |
5 Detects suspicious use of 'calc.exe' with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion.
6references:
7 - https://twitter.com/ItsReallyNick/status/1094080242686312448
8author: Florian Roth (Nextron Systems)
9date: 2019-02-09
10modified: 2023-11-09
11tags:
12 - attack.defense-evasion
13 - attack.t1036
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection_1:
19 CommandLine|contains: '\calc.exe '
20 selection_2:
21 Image|endswith: '\calc.exe'
22 filter_main_known_locations:
23 Image|contains:
24 - ':\Windows\System32\'
25 - ':\Windows\SysWOW64\'
26 - ':\Windows\WinSxS\'
27 condition: selection_1 or ( selection_2 and not filter_main_known_locations )
28falsepositives:
29 - Unknown
30level: high
References
Related rules
- CreateDump Process Dump
- DumpMinitool Execution
- Explorer Process Tree Break
- Findstr Launching .lnk File
- HackTool - XORDump Execution