Detection of tools built by NirSoft

name: Detection of tools built by NirSoft
id: 3d8d201c-aa03-422d-b0ee-2e5ecf9718c0
version: 10
date: '2026-03-10'
author: Bhavin Patel, Splunk
status: experimental
type: Anomaly
description: The following analytic identifies the execution of tools built by NirSoft by detecting specific command-line arguments such as "/stext" and "/scomma". It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line executions. This activity is significant because NirSoft tools, while legitimate, can be exploited by attackers for malicious purposes such as credential theft or system reconnaissance. If confirmed malicious, this activity could lead to unauthorized access, data exfiltration, or further compromise of the affected system.
data_source:
    - Sysmon EventID 1
    - Windows Event Log Security 4688
    - CrowdStrike ProcessRollup2
search: |-
    | tstats `security_content_summariesonly` count min(_time) values(Processes.process) as process max(_time) as lastTime FROM datamodel=Endpoint.Processes
      WHERE (
            Processes.process="* /stext *"
            OR
            Processes.process="* /scomma *"
        )
      BY Processes.action Processes.dest Processes.original_file_name
         Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
         Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
         Processes.process Processes.process_exec Processes.process_guid
         Processes.process_hash Processes.process_id Processes.process_integrity_level
         Processes.process_name Processes.process_path Processes.user
         Processes.user_id Processes.vendor_product
    | `drop_dm_object_name(Processes)`
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | `detection_of_tools_built_by_nirsoft_filter`
how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.
known_false_positives: While legitimate, these NirSoft tools are prone to abuse. You should verify that the tool was used for a legitimate purpose.
references: []
rba:
    message: NirSoft tool detected on $dest$
    risk_objects:
        - field: user
          type: user
          score: 20
        - field: dest
          type: system
          score: 20
    threat_objects: []
tags:
    analytic_story:
        - Emotet Malware DHS Report TA18-201A
    asset_type: Endpoint
    mitre_attack_id:
        - T1072
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: endpoint