PUA - Nimgrab Execution
Detects the usage of nimgrab, a tool bundled with the Nim programming framework and used for downloading files.
Sigma rule (View on GitHub)
1title: PUA - Nimgrab Execution
2id: 74a12f18-505c-4114-8d0b-8448dd5485c6
3status: test
4description: Detects the usage of nimgrab, a tool bundled with the Nim programming framework and used for downloading files.
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md
7author: frack113
8date: 2022/08/28
9modified: 2023/02/13
10tags:
11 - attack.command_and_control
12 - attack.t1105
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection_name:
18 Image|endswith: '\nimgrab.exe'
19 selection_hashes:
20 Hashes|contains:
21 - MD5=2DD44C3C29D667F5C0EF5F9D7C7FFB8B
22 - SHA256=F266609E91985F0FE3E31C5E8FAEEEC4FFA5E0322D8B6F15FE69F4C5165B9559
23 - IMPHASH=C07FDDD21D123EA9B3A08EEF44AAAC45
24 selection_hash:
25 - md5: 2DD44C3C29D667F5C0EF5F9D7C7FFB8B
26 - sha256: F266609E91985F0FE3E31C5E8FAEEEC4FFA5E0322D8B6F15FE69F4C5165B9559
27 - Imphash: C07FDDD21D123EA9B3A08EEF44AAAC45
28 condition: 1 of selection_*
29falsepositives:
30 - Legitimate use of Nim on a developer systems
31level: high
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- File Download Using Notepad++ GUP Utility
- Suspicious Curl.EXE Download
- Suspicious Program Location with Network Connections
- AppX Package Installation Attempts Via AppInstaller.EXE
- File Download And Execution Via IEExec.EXE