← Back to Explore
sigmahighHunting
Renamed NirCmd.EXE Execution
Detects the execution of a renamed "NirCmd.exe" binary based on the PE metadata fields.
Detection Query
selection:
OriginalFileName: NirCmd.exe
filter_main_img:
Image|endswith:
- \nircmd.exe
- \nircmdc.exe
condition: selection and not 1 of filter_main_*
Author
X__Junior (Nextron Systems)
Created
2024-03-11
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.executionattack.t1059attack.defense-evasionattack.t1202
Raw Content
title: Renamed NirCmd.EXE Execution
id: 264982dc-dbad-4dce-b707-1e0d3e0f73d9
status: test
description: Detects the execution of a renamed "NirCmd.exe" binary based on the PE metadata fields.
references:
- https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
- https://www.nirsoft.net/utils/nircmd.html
author: X__Junior (Nextron Systems)
date: 2024-03-11
tags:
- attack.execution
- attack.t1059
- attack.defense-evasion
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection:
OriginalFileName: 'NirCmd.exe'
filter_main_img:
Image|endswith:
- '\nircmd.exe'
- '\nircmdc.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high