PUA - NirCmd Execution

Detects the use of NirCmd tool for command execution, which could be the result of legitimate administrative activity

Sigma rule (View on GitHub)

 1title: PUA - NirCmd Execution
 2id: 4e2ed651-1906-4a59-a78a-18220fca1b22
 3status: test
 4description: Detects the use of NirCmd tool for command execution, which could be the result of legitimate administrative activity
 5references:
 6    - https://www.nirsoft.net/utils/nircmd.html
 7    - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/
 8    - https://www.nirsoft.net/utils/nircmd2.html#using
 9author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
10date: 2022/01/24
11modified: 2023/02/13
12tags:
13    - attack.execution
14    - attack.t1569.002
15    - attack.s0029
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection_org:
21        - Image|endswith: '\NirCmd.exe'
22        - OriginalFileName: 'NirCmd.exe'
23    selection_cmd:
24        CommandLine|contains:
25            - ' execmd '
26            - '.exe script '
27            - '.exe shexec '
28            - ' runinteractive '
29    combo_exec:
30        CommandLine|contains:
31            - ' exec '
32            - ' exec2 '
33    combo_exec_params:
34        CommandLine|contains:
35            - ' show '
36            - ' hide '
37    condition: 1 of selection_* or all of combo_*
38fields:
39    - CommandLine
40    - ParentCommandLine
41falsepositives:
42    - Legitimate use by administrators
43level: medium

References

Related rules

to-top