blue-team-tools/rules/windows/process_creation/proc_creation_win_nimgrab.yml

title: Nimgrab File Download
id: 74a12f18-505c-4114-8d0b-8448dd5485c6
status: experimental
description: Detects usage of nimgrab, a tool bundled with the Nim programming framework, downloading a file. This can be normal behaviour on developer systems.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md
date: 2022/08/28
author: frack113
logsource:
    category: process_creation
    product: windows
detection:
    selection_name:
        Image|endswith: '\nimgrab.exe'
    selection_hashes:
        Hashes|contains:
            - MD5=2DD44C3C29D667F5C0EF5F9D7C7FFB8B
            - SHA256=F266609E91985F0FE3E31C5E8FAEEEC4FFA5E0322D8B6F15FE69F4C5165B9559
            - IMPHASH=C07FDDD21D123EA9B3A08EEF44AAAC45
    selection_hash:
        - md5: 2DD44C3C29D667F5C0EF5F9D7C7FFB8B
        - sha256: F266609E91985F0FE3E31C5E8FAEEEC4FFA5E0322D8B6F15FE69F4C5165B9559
        - imphash: C07FDDD21D123EA9B3A08EEF44AAAC45   
    condition: 1 of selection_*
falsepositives:
    - Legitimate use of Nim on developer systems
level: high
tags:
    - attack.command_and_control
    - attack.t1105