Techniques
Sample rules
Windows NirSoft Tool Bundle File Created
- source: splunk
- technicques:
- T1588.002
Description
The following analytic detects the creation of files associated with the NirSoft tool bundles on Windows endpoints. NirSoft is a well-known provider of free, portable utilities that can be used for various system and network tasks. However, threat actors often leverage these tools for malicious purposes, such as credential harvesting, network reconnaissance, and data exfiltration. The detection focuses on the creation of specific NirSoft tool bundle files, which may indicate that an attacker is preparing to use these utilities on a compromised system. Security teams should investigate any instances of these files being created, especially if they are found in unexpected locations or on systems that should not be using such tools.
Detection logic
| tstats `security_content_summariesonly`
count values(Filesystem.file_path) as file_path
min(_time) as firstTime
max(_time) as lastTime
from datamodel=Endpoint.Filesystem where
``` Increase coverage by adding additional Nirsoft tool bundle or tool filenames ```
Filesystem.file_name IN (
"brtools.zip",
"mailpv.zip",
"networktools.zip",
"passreccommandline.zip",
"passrecenc.zip",
"progtools.zip",
"rdpv.zip",
"systools.zip",
"webbrowserpassview.zip"
)
by Filesystem.action Filesystem.dest Filesystem.file_access_time Filesystem.file_create_time
Filesystem.file_hash Filesystem.file_modify_time Filesystem.file_name Filesystem.file_path
Filesystem.file_acl Filesystem.file_size Filesystem.process_guid Filesystem.process_id
Filesystem.user Filesystem.vendor_product
| `drop_dm_object_name("Filesystem")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_nirsoft_tool_bundle_file_created_filter`