
Summary
This detection rule identifies the execution of 'nimgrab.exe', a tool associated with the Nim programming framework, commonly utilized for downloading files from remote locations. The rule focuses specifically on process creation events in Windows where the image path ends with 'nimgrab.exe'. Additionally, it checks for known hash values (both MD5 and SHA256) of the 'nimgrab' executable, helping to reduce false positives typically seen with legitimate usage scenarios. This rule is classified as having a high alert level due to the potential misuse of nimgrab for malicious downloading activity. The detection logic activates when either the image name matches or the executable hashes correspond to pre-defined known malware hashes, ensuring heightened security monitoring across systems.
Categories
- Endpoint
- Windows
Data Sources
- Process
ATT&CK Techniques
- T1105
Created: 2022-08-28