while legitimate, these nirsoft tools are prone to abuse. you should verfiy that the tool was used for a legitimate purpose.

t1072
endpoint
splunk

Techniques

T1072

Sample rules

Detection of tools built by NirSoft

source: splunk
technicques:
- T1072

Description

This search looks for specific command-line arguments that may indicate the execution of tools made by Nirsoft, which are legitimate, but may be abused by attackers.

Detection logic


| tstats `security_content_summariesonly` count min(_time) values(Processes.process) as process max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process="* /stext *" OR Processes.process="* /scomma *" ) by Processes.parent_process Processes.process_name Processes.user 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
|`security_content_ctime(lastTime)` 
| `detection_of_tools_built_by_nirsoft_filter`