Nullsoft Scriptable Installer Script (NSIS) file creation
Detects the creation of the NSIS System plugin library, indicative of an NSIS script execution.
Sigma rule (View on GitHub)
1title: Nullsoft Scriptable Installer Script (NSIS) file creation
2id: b95288d8-020a-4df0-95cb-d2d3a806ab11
3description: Detects the creation of the NSIS System plugin library, indicative of an NSIS script execution.
4status: experimental
5date: 2023-06-12
6modified: 2024-02-23
7author: "Maxime THIEBAUT (@0xThiebaut), @TheDFIRReport"
8references:
9 - https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out
10 - https://nsis.sourceforge.io/Docs/System/System.html
11logsource:
12 category: file_event
13 product: windows
14detection:
15 selection1:
16 TargetFilename|contains: '\Temp\ns'
17 TargetFilename|endswith: '.tmp\System.dll'
18 condition: selection1
19falsepositives:
20 - Legitimate NSIS installers (e.g., Razer Chroma, Pulse Secure, ...)
21level: low
22tags:
23 - attack.execution #TA0002
24 - attack.t1106
25 - dist.public
References
-
In this intrusion, dated May 2023, we observed Truebot being used to deploy Cobalt Strike and FlawedGrace (aka GraceWire & BARBWIRE) resulting in the exfiltration of data and the deployment of …
Read More -
Call and get both share a common syntax. As the names suggest, Call calls and Get gets. What does it call or get? It depends on PROC's value. PARAMS is a list of parameters and what do to with them...
Read More
Related rules
- Nullsoft Scriptable Installer Script (NSIS) execution
- AteraAgent malicious installations
- Custom Cobalt Strike Command Execution
- Execution of ZeroLogon PoC executable
- FlawedGrace spawning threat injection target