PUA - NimScan Execution

Original Source: [Sigma source]
Title: PUA - NimScan Execution
Status: test
Description:Detects usage of NimScan, a portscanner utility. In early 2025, adversaries were observed using this utility to scan for open ports on remote hosts in a compromised environment. This rule identifies the execution of NimScan based on the process image name and specific hash values associated with different versions of the tool.
References:
  -https://x.com/cyberfeeddigest/status/1887041526397587859
   -https://github.com/elddy/NimScan
 Author: Swachchhanda Shrawan Poudel (Nextron Systems)
Date: 2025-02-05
modified:None
Tags:
  • -'attack.discovery'
  • -'attack.t1046'
Logsource:
  • category: process_creation
  • product: windows
Detection:
  selection:
Image|endswith:'\NimScan.exe'     - Hashes|contains:
      - 'IMPHASH=41BB1C7571B3A724EB83A1D2B96DBB8C'
      - 'IMPHASH=B1B6ADACB172795480179EFD18A29549'
      - 'IMPHASH=0D1F896DC7642AD8384F9042F30279C2'
  condition:selection
Falsepositives:
  -Legitimate administrator activity
Level: medium

© 2024 DetectionCode Website. All Rights Reserved.