Detectionmediumtest
PUA - NimScan Execution
Detects usage of NimScan, a portscanner utility. In early 2025, adversaries were observed using this utility to scan for open ports on remote hosts in a compromised environment. This rule identifies the execution of NimScan based on the process image name and specific hash values associated with different versions of the tool.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Swachchhanda Shrawan Poudel (Nextron Systems)Created Wed Feb 054fd6b1c7-19b8-4488-97f6-00f0924991a3windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic1 selector
detection:
selection:
- Image|endswith: '\NimScan.exe' # Other metadata fields such as originalfilename and product were omitted because they were null
- Hashes|contains:
- 'IMPHASH=41BB1C7571B3A724EB83A1D2B96DBB8C' # v1.0.8
- 'IMPHASH=B1B6ADACB172795480179EFD18A29549' # v1.0.6
- 'IMPHASH=0D1F896DC7642AD8384F9042F30279C2' # v1.0.4 and v1.0.2
condition: selectionFalse Positives
Legitimate administrator activity
MITRE ATT&CK
Tactics
Techniques
Rule Metadata
Rule ID
4fd6b1c7-19b8-4488-97f6-00f0924991a3
Status
test
Level
medium
Type
Detection
Created
Wed Feb 05
Path
rules/windows/process_creation/proc_creation_win_pua_nimscan.yml
Raw Tags
attack.discoveryattack.t1046