Emerging Threathighexperimental

Grixba Malware Reconnaissance Activity

Detects execution of the Grixba reconnaissance tool based on suspicious command-line parameter combinations. This tool is used by the Play ransomware group for network enumeration, data gathering, and event log clearing.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

yxinmiracle, Swachchhanda Shrawan Poudel (Nextron Systems)Created Wed Nov 26af688c76-4ce4-4309-bfdd-e896f01acf272025

Emerging Threat

Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection_mode_flag:
        CommandLine|contains:
            - '-m '
            - '-mode '
            - '-m:'
            - '-mode:'
    selection_input_flag:
        CommandLine|contains:
            - '-i '
            - '-input '
            - '-i:'
            - '-input:'
    selection_scan_value:
        CommandLine|contains:
            - 'scan '
            - 'scanall '
    selection_input_options:
        CommandLine|contains:
            - ':f '
            - ':r '
            - ':s '
            - ' f '
            - ' r '
            - ' s '
    condition: all of selection_*

False Positives

Legitimate tools that use similar command-line argument structures (e.g., a tool with '--mode scan' and '--input file.txt') could trigger this rule. However, the specific combinations are indicative of reconnaissance or defense evasion.

References

Testing & Validation

Regression Tests

by Swachchhanda Shrawan Poudel (Nextron Systems)

Positive Detection Testevtx

Microsoft-Windows-Sysmon

EVTX JSON

MITRE ATT&CK