Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

PUA - Nimgrab Execution

Detects the usage of nimgrab, a tool bundled with the Nim programming framework and used for downloading files.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
François HubautCreated Sun Aug 28Updated Sat Nov 2374a12f18-505c-4114-8d0b-8448dd5485c6windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic2 selectors
detection:
    selection_name:
        Image|endswith: '\nimgrab.exe'
    selection_hashes:
        Hashes|contains:
            - MD5=2DD44C3C29D667F5C0EF5F9D7C7FFB8B
            - SHA256=F266609E91985F0FE3E31C5E8FAEEEC4FFA5E0322D8B6F15FE69F4C5165B9559
            - IMPHASH=C07FDDD21D123EA9B3A08EEF44AAAC45
    condition: 1 of selection_*
False Positives

Legitimate use of Nim on a developer systems

References
1
Resolving title…
github.com
MITRE ATT&CK
Rule Metadata
Rule ID
74a12f18-505c-4114-8d0b-8448dd5485c6
Status
test
Level
high
Type
Detection
Created
Sun Aug 28
Modified
Sat Nov 23
Author
François Hubaut
Path
rules/windows/process_creation/proc_creation_win_pua_nimgrab.yml
Raw Tags
attack.command-and-controlattack.t1105
View on GitHub