Renamed NirCmd.EXE Execution
Detects the execution of a renamed "NirCmd.exe" binary based on the PE metadata fields.
Sigma rule (View on GitHub)
1title: Renamed NirCmd.EXE Execution
2id: 264982dc-dbad-4dce-b707-1e0d3e0f73d9
3status: experimental
4description: Detects the execution of a renamed "NirCmd.exe" binary based on the PE metadata fields.
5references:
6 - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
7 - https://www.nirsoft.net/utils/nircmd.html
8author: X__Junior (Nextron Systems)
9date: 2024-03-11
10tags:
11 - attack.execution
12 - attack.t1059
13 - attack.defense-evasion
14 - attack.t1202
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection:
20 OriginalFileName: 'NirCmd.exe'
21 filter_main_img:
22 Image|endswith:
23 - '\nircmd.exe'
24 - '\nircmdc.exe'
25 condition: selection and not 1 of filter_main_*
26falsepositives:
27 - Unknown
28level: high
References
-
A distinct subset of Mint Sandstorm targets high-profile individuals working on Middle Eastern affairs at universities and research orgs.
Read More -
NirCmd is a small utility that allows you to do many useful tasks from command-line, without displaying any user interface: change your display settings, turn off your monitor, open the door of your CD-ROM drive, and more...
Read More
Related rules
- Potential Arbitrary Command Execution Via FTP.EXE
- Renamed FTP.EXE Execution
- Renamed PingCastle Binary Execution
- Suspicious Runscripthelper.exe
- Add Insecure Download Source To Winget