Nullsoft Scriptable Installer Script (NSIS) execution

calendar Feb 23, 2024 · attack.execution attack.t1106 dist.public  ·
Share on: linkedin copy

Detects the loading of the NSIS System plugin library, indicative of an NSIS script execution.

Sigma rule (View on GitHub)

 1title: Nullsoft Scriptable Installer Script (NSIS) execution
 2id: 221f15de-1cce-40b2-a766-2873938198c6
 3description: Detects the loading of the NSIS System plugin library, indicative of an NSIS script execution.
 4status: experimental
 5date: 2023-06-12
 6modified: 2024-02-23
 7author: "Maxime THIEBAUT (@0xThiebaut), @TheDFIRReport"
 8references:
 9    - https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out
10    - https://nsis.sourceforge.io/Docs/System/System.html
11logsource:
12    category: image_load
13    product: windows
14detection:
15    selection1:
16        ImageLoaded|contains: '\Temp\ns'
17        ImageLoaded|endswith: '.tmp\System.dll'
18    condition: selection1
19falsepositives:
20    - Legitimate NSIS installers (e.g., Razer Chroma, Pulse Secure, ...)
21level: low
22tags:
23    - attack.execution #TA0002
24    - attack.t1106
25    - dist.public

References

  • A Truly Graceful Wipe Out - The DFIR Report

    In this intrusion, dated May 2023, we observed Truebot being used to deploy Cobalt Strike and FlawedGrace (aka GraceWire & BARBWIRE) resulting in the exfiltration of data and the deployment … Read More


    Read More

  • System Plug-in (NSIS)

    Call and get both share a common syntax. As the names suggest, Call calls and Get gets. What does it call or get? It depends on PROC's value. PARAMS is a list of parameters and what do to with them...


    Read More

Related rules

to-top