Grixba Malware Reconnaissance Activity

 1title: Grixba Malware Reconnaissance Activity
 2id: af688c76-4ce4-4309-bfdd-e896f01acf27
 3status: experimental
 4description: |
 5    Detects execution of the Grixba reconnaissance tool based on suspicious command-line parameter combinations.
 6    This tool is used by the Play ransomware group for network enumeration, data gathering, and event log clearing.    
 7references:
 8    - https://fieldeffect.com/blog/grixba-play-ransomware-impersonates-sentinelone
 9    - https://thedfirreport.com/2025/09/08/blurring-the-lines-intrusion-shows-connection-with-three-major-ransomware-gangs/
10author: yxinmiracle, Swachchhanda Shrawan Poudel (Nextron Systems)
11date: 2025-11-26
12tags:
13    - attack.reconnaissance
14    - attack.t1595.001
15    - attack.discovery
16    - attack.t1046
17    - detection.emerging-threats
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection_mode_flag:
23        CommandLine|contains:
24            - '-m '
25            - '-mode '
26            - '-m:'
27            - '-mode:'
28    selection_input_flag:
29        CommandLine|contains:
30            - '-i '
31            - '-input '
32            - '-i:'
33            - '-input:'
34    selection_scan_value:
35        CommandLine|contains:
36            - 'scan '
37            - 'scanall '
38    selection_input_options:
39        CommandLine|contains:
40            - ':f '
41            - ':r '
42            - ':s '
43            - ' f '
44            - ' r '
45            - ' s '
46    condition: all of selection_*
47falsepositives:
48    - Legitimate tools that use similar command-line argument structures (e.g., a tool with '--mode scan' and '--input file.txt') could trigger this rule. However, the specific combinations are indicative of reconnaissance or defense evasion.
49level: high
50regression_tests_path: regression_data/rules-emerging-threats/2025/Malware/Grixba/proc_creation_win_malware_grixba_recon/info.yml