heroui logo

Suspicious Calculator Usage

Sigma Rules

View Source
Summary
The rule 'Suspicious Calculator Usage' is designed to detect potentially malicious behavior associated with the execution of 'calc.exe' on Windows systems. This detection is triggered when 'calc.exe' is launched with specific command line parameters or when it is executed from a suspicious directory that is not part of the standard locations where the Calculator application typically resides. The detection logic employs two selections: the first is based on the presence of 'calc.exe' within the command line arguments, while the second involves monitoring the image path of the executable. Furthermore, there is a filter to exclude executions from known system directories such as 'C:\Windows\System32', 'C:\Windows\SysWOW64', and 'C:\Windows\WinSxS'. This approach is effective in distinguishing legitimate usage from potential evasion tactics often employed by attackers to mask unauthorized actions. The underlying rationale stems from the understanding that legitimate applications can be leveraged for nefarious purposes and hence their unusual invocation patterns warrant scrutiny.
Categories
  • Windows
  • Endpoint
  • Application
Data Sources
  • Process
Created: 2019-02-09