← Back to Explore
sigmamediumHunting
PUA - NirCmd Execution
Detects the use of NirCmd tool for command execution, which could be the result of legitimate administrative activity
Detection Query
selection_org:
- Image|endswith: \NirCmd.exe
- OriginalFileName: NirCmd.exe
selection_cmd:
CommandLine|contains:
- " execmd "
- ".exe script "
- ".exe shexec "
- " runinteractive "
combo_exec:
CommandLine|contains:
- " exec "
- " exec2 "
combo_exec_params:
CommandLine|contains:
- " show "
- " hide "
condition: 1 of selection_* or all of combo_*
Author
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
Created
2022-01-24
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.executionattack.t1569.002attack.s0029
Raw Content
title: PUA - NirCmd Execution
id: 4e2ed651-1906-4a59-a78a-18220fca1b22
status: test
description: Detects the use of NirCmd tool for command execution, which could be the result of legitimate administrative activity
references:
- https://www.nirsoft.net/utils/nircmd.html
- https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/
- https://www.nirsoft.net/utils/nircmd2.html#using
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-01-24
modified: 2023-02-13
tags:
- attack.execution
- attack.t1569.002
- attack.s0029
logsource:
category: process_creation
product: windows
detection:
selection_org:
- Image|endswith: '\NirCmd.exe'
- OriginalFileName: 'NirCmd.exe'
selection_cmd:
CommandLine|contains:
- ' execmd '
- '.exe script '
- '.exe shexec '
- ' runinteractive '
combo_exec:
CommandLine|contains:
- ' exec '
- ' exec2 '
combo_exec_params:
CommandLine|contains:
- ' show '
- ' hide '
condition: 1 of selection_* or all of combo_*
falsepositives:
- Legitimate use by administrators
level: medium