PUA - Nimgrab Execution
Detects the usage of nimgrab, a tool bundled with the Nim programming framework and used for downloading files.
Sigma rule (View on GitHub)
1title: PUA - Nimgrab Execution
2id: 74a12f18-505c-4114-8d0b-8448dd5485c6
3status: test
4description: Detects the usage of nimgrab, a tool bundled with the Nim programming framework and used for downloading files.
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md
7author: frack113
8date: 2022-08-28
9modified: 2024-11-23
10tags:
11 - attack.command-and-control
12 - attack.t1105
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection_name:
18 Image|endswith: '\nimgrab.exe'
19 selection_hashes:
20 Hashes|contains:
21 - MD5=2DD44C3C29D667F5C0EF5F9D7C7FFB8B
22 - SHA256=F266609E91985F0FE3E31C5E8FAEEEC4FFA5E0322D8B6F15FE69F4C5165B9559
23 - IMPHASH=C07FDDD21D123EA9B3A08EEF44AAAC45
24 condition: 1 of selection_*
25falsepositives:
26 - Legitimate use of Nim on a developer systems
27level: high
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder
- DarkGate - Autoit3.EXE File Creation By Uncommon Process
- File Download From IP Based URL Via CertOC.EXE
- Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location
- AppX Package Installation Attempts Via AppInstaller.EXE