PUA - Nimgrab Execution

Severity: high
Author: frack113
Source: upstream

Detects the usage of nimgrab, a tool bundled with the Nim programming framework and used for downloading files.

MITRE ATT&CK coverage

Tactic	Techniques
Command & Control	`T1105` Ingress Tool Transfer

Event coverage

Provider	Event ID	Title
Sysmon	1	Process creation

Stages and Predicates

Stage 1: `1 of selection_name`

Image|endswith: '\nimgrab.exe'

Stage 2: `1 of selection_hashes`

or:
Hashes|contains: 'IMPHASH=C07FDDD21D123EA9B3A08EEF44AAAC45'
Hashes|contains: 'MD5=2DD44C3C29D667F5C0EF5F9D7C7FFB8B'
Hashes|contains: 'SHA256=F266609E91985F0FE3E31C5E8FAEEEC4FFA5E0322D8B6F15FE69F4C5165B9559'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`Hashes`	match	`IMPHASH=C07FDDD21D123EA9B3A08EEF44AAAC45` `MD5=2DD44C3C29D667F5C0EF5F9D7C7FFB8B` `SHA256=F266609E91985F0FE3E31C5E8FAEEEC4FFA5E0322D8B6F15FE69F4C5165B9559`
`Image`	ends_with	`\nimgrab.exe`