Renamed NirCmd.EXE Execution

Detects the execution of a renamed "NirCmd.exe" binary based on the PE metadata fields.

Sigma rule (View on GitHub)

 1title: Renamed NirCmd.EXE Execution
 2id: 264982dc-dbad-4dce-b707-1e0d3e0f73d9
 3status: experimental
 4description: Detects the execution of a renamed "NirCmd.exe" binary based on the PE metadata fields.
 5references:
 6    - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
 7    - https://www.nirsoft.net/utils/nircmd.html
 8author: X__Junior (Nextron Systems)
 9date: 2024-03-11
10tags:
11    - attack.execution
12    - attack.t1059
13    - attack.defense-evasion
14    - attack.t1202
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection:
20        OriginalFileName: 'NirCmd.exe'
21    filter_main_img:
22        Image|endswith:
23            - '\nircmd.exe'
24            - '\nircmdc.exe'
25    condition: selection and not 1 of filter_main_*
26falsepositives:
27    - Unknown
28level: high

References

Related rules

to-top