Suspicious Calculator Usage

calendar Aug 12, 2024 · attack.defense-evasion attack.t1036  ·
Share on: linkedin copy

Detects suspicious use of 'calc.exe' with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion.

Sigma rule (View on GitHub)

 1title: Suspicious Calculator Usage
 2id: 737e618a-a410-49b5-bec3-9e55ff7fbc15
 3status: test
 4description: |
 5        Detects suspicious use of 'calc.exe' with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion.
 6references:
 7    - https://twitter.com/ItsReallyNick/status/1094080242686312448
 8author: Florian Roth (Nextron Systems)
 9date: 2019-02-09
10modified: 2023-11-09
11tags:
12    - attack.defense-evasion
13    - attack.t1036
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection_1:
19        CommandLine|contains: '\calc.exe '
20    selection_2:
21        Image|endswith: '\calc.exe'
22    filter_main_known_locations:
23        Image|contains:
24            - ':\Windows\System32\'
25            - ':\Windows\SysWOW64\'
26            - ':\Windows\WinSxS\'
27    condition: selection_1 or ( selection_2 and not filter_main_known_locations )
28falsepositives:
29    - Unknown
30level: high

References

Related rules

to-top