Nullsoft Scriptable Installer Script (NSIS) execution
Detects the creation of the NSIS System plugin library, indicative of an NSIS script execution.
Sigma rule (View on GitHub)
1title: Nullsoft Scriptable Installer Script (NSIS) execution
2id: b95288d8-020a-4df0-95cb-d2d3a806ab11
3description: Detects the creation of the NSIS System plugin library, indicative of an NSIS script execution.
4status: experimental
5date: 2023/06/12
6author: "Maxime THIEBAUT (@0xThiebaut), @TheDFIRReport"
7references:
8 - https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out
9 - https://nsis.sourceforge.io/Docs/System/System.html
10logsource:
11 category: file_event
12 product: windows
13detection:
14 selection1:
15 TargetFilename|contains: '\Temp\ns'
16 TargetFilename|endswith: '.tmp\System.dll'
17 condition: selection1
18falsepositives:
19 - Legitimate NSIS installers (e.g., Razer Chroma, Pulse Secure, ...)
20level: low
21tags:
22 - attack.execution #TA0002
23 - attack.T1106
24 - dist.public
References
-
In this intrusion, dated May 2023, we observed Truebot being used to deploy Cobalt Strike and FlawedGrace (aka GraceWire & BARBWIRE) resulting in the exfiltration of data and the deployment … Read More
Read More -
Call and get both share a common syntax. As the names suggest, Call calls and Get gets. What does it call or get? It depends on PROC's value. PARAMS is a list of parameters and what do to with them...
Read More
Related rules
- Nullsoft Scriptable Installer Script (NSIS) execution
- Suspicious Execution Location Of Wermgr.EXE
- AWS IAM S3Browser Templated S3 Bucket Policy Creation
- Potential In-Memory Download And Compile Of Payloads
- JAMF MDM Potential Suspicious Child Process