PUA - NimScan Execution

calendar Feb 17, 2025 · attack.discovery attack.t1046  ·
Share on: linkedin copy

Detects usage of NimScan, a portscanner utility. In early 2025, adversaries were observed using this utility to scan for open ports on remote hosts in a compromised environment. This rule identifies the execution of NimScan based on the process image name and specific hash values associated with different versions of the tool.

Sigma rule (View on GitHub)

 1title: PUA - NimScan Execution
 2id: 4fd6b1c7-19b8-4488-97f6-00f0924991a3
 3status: test
 4description: |
 5    Detects usage of NimScan, a portscanner utility.
 6    In early 2025, adversaries were observed using this utility to scan for open ports on remote hosts in a compromised environment.
 7    This rule identifies the execution of NimScan based on the process image name and specific hash values associated with different versions of the tool.    
 8references:
 9    - https://x.com/cyberfeeddigest/status/1887041526397587859
10    - https://github.com/elddy/NimScan
11author: Swachchhanda Shrawan Poudel (Nextron Systems)
12date: 2025-02-05
13tags:
14    - attack.discovery
15    - attack.t1046
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection:
21        - Image|endswith: '\NimScan.exe' # Other metadata fields such as originalfilename and product were omitted because they were null
22        - Hashes|contains:
23              - 'IMPHASH=41BB1C7571B3A724EB83A1D2B96DBB8C' # v1.0.8
24              - 'IMPHASH=B1B6ADACB172795480179EFD18A29549' # v1.0.6
25              - 'IMPHASH=0D1F896DC7642AD8384F9042F30279C2' # v1.0.4 and v1.0.2
26    condition: selection
27falsepositives:
28    - Legitimate administrator activity
29level: medium
yaml

References

Related rules

to-top