sigmahighHunting

PUA - Nimgrab Execution

Detects the usage of nimgrab, a tool bundled with the Nim programming framework and used for downloading files.

MITRE ATT&CK

command-and-control

Detection Query

selection_name:
  Image|endswith: \nimgrab.exe
selection_hashes:
  Hashes|contains:
    - MD5=2DD44C3C29D667F5C0EF5F9D7C7FFB8B
    - SHA256=F266609E91985F0FE3E31C5E8FAEEEC4FFA5E0322D8B6F15FE69F4C5165B9559
    - IMPHASH=C07FDDD21D123EA9B3A08EEF44AAAC45
condition: 1 of selection_*

Author

frack113

Created

2022-08-28

Data Sources

windowsProcess Creation Events

Platforms

windows

References

https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md

Tags

attack.command-and-controlattack.t1105

Raw Content

title: PUA - Nimgrab Execution
id: 74a12f18-505c-4114-8d0b-8448dd5485c6
status: test
description: Detects the usage of nimgrab, a tool bundled with the Nim programming framework and used for downloading files.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md
author: frack113
date: 2022-08-28
modified: 2024-11-23
tags:
    - attack.command-and-control
    - attack.t1105
logsource:
    category: process_creation
    product: windows
detection:
    selection_name:
        Image|endswith: '\nimgrab.exe'
    selection_hashes:
        Hashes|contains:
            - MD5=2DD44C3C29D667F5C0EF5F9D7C7FFB8B
            - SHA256=F266609E91985F0FE3E31C5E8FAEEEC4FFA5E0322D8B6F15FE69F4C5165B9559
            - IMPHASH=C07FDDD21D123EA9B3A08EEF44AAAC45
    condition: 1 of selection_*
falsepositives:
    - Legitimate use of Nim on a developer systems
level: high