Techniques
Sample rules
Windows NirSoft Utilities
- source: splunk
- technicques:
- T1588.002
Description
The following hunting analytic assists with identifying the proces execution of commonly used utilities from NirSoft. Potentially not adversary behavior, but worth identifying to know if the software is present and being used.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.process_path Processes.process_id Processes.parent_process_id
| `drop_dm_object_name("Processes")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `is_nirsoft_software_macro`
| `windows_nirsoft_utilities_filter`