Detection rules › Splunk
Windows NirSoft Tool Bundle File Created
The following analytic detects the creation of files associated with the NirSoft tool bundles on Windows endpoints. NirSoft is a well-known provider of free, portable utilities that can be used for various system and network tasks. However, threat actors often leverage these tools for malicious purposes, such as credential harvesting, network reconnaissance, and data exfiltration. The detection focuses on the creation of specific NirSoft tool bundle files, which may indicate that an attacker is preparing to use these utilities on a compromised system. Security teams should investigate any instances of these files being created, especially if they are found in unexpected locations or on systems that should not be using such tools.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Resource Development | T1588.002 Obtain Capabilities: Tool |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 11 | FileCreate |
Stages and Predicates
Stage 1: tstats
tstats WHERE Filesystem.file_name IN ("brtools.zip", "mailpv.zip", "networktools.zip", "passreccommandline.zip", "passrecenc.zip", "progtools.zip", "rdpv.zip", "systools.zip", "webbrowserpassview.zip") BY Filesystem.action, Filesystem.dest, Filesystem.file_access_time, Filesystem.file_create_time, Filesystem.file_hash, Filesystem.file_modify_time, Filesystem.file_name, Filesystem.file_path, Filesystem.file_acl, Filesystem.file_size, Filesystem.process_guid, Filesystem.process_id, Filesystem.user, Filesystem.vendor_product
Stage 2: search
search
Stage 3: search
search
Stage 4: search
search
Stage 5: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Filesystem.file_name | in |
|