LoFP / legitimate use of nim on a developer systems

Techniques

t1105

Sample rules

PUA - Nimgrab Execution

source: sigma
technicques:
- t1105

Description

Detects the usage of nimgrab, a tool bundled with the Nim programming framework and used for downloading files.

Detection logic

condition: 1 of selection_*
selection_hashes:
  Hashes|contains:
  - MD5=2DD44C3C29D667F5C0EF5F9D7C7FFB8B
  - SHA256=F266609E91985F0FE3E31C5E8FAEEEC4FFA5E0322D8B6F15FE69F4C5165B9559
  - IMPHASH=C07FDDD21D123EA9B3A08EEF44AAAC45
selection_name:
  Image|endswith: \nimgrab.exe