| ID | Technique | Tactic |
|---|---|---|
| T1588.002 | Tool | Resource Development |
Detection: Windows NirSoft Tool Bundle File Created
EXPERIMENTAL DETECTION
This detection status is set to experimental. The Splunk Threat Research team has not yet fully tested, simulated, or built comprehensive datasets for this detection. As such, this analytic is not officially supported. If you have any questions or concerns, please reach out to us at research@splunk.com.
Description
The following analytic detects the creation of files associated with the NirSoft tool bundles on Windows endpoints. NirSoft is a well-known provider of free, portable utilities that can be used for various system and network tasks. However, threat actors often leverage these tools for malicious purposes, such as credential harvesting, network reconnaissance, and data exfiltration. The detection focuses on the creation of specific NirSoft tool bundle files, which may indicate that an attacker is preparing to use these utilities on a compromised system. Security teams should investigate any instances of these files being created, especially if they are found in unexpected locations or on systems that should not be using such tools.
Search
1
2| tstats `security_content_summariesonly`
3 count values(Filesystem.file_path) as file_path
4 min(_time) as firstTime
5 max(_time) as lastTime
6
7from datamodel=Endpoint.Filesystem where
8
9``` Increase coverage by adding additional Nirsoft tool bundle or tool filenames ```
10
11Filesystem.file_name IN (
12 "brtools.zip",
13 "mailpv.zip",
14 "networktools.zip",
15 "passreccommandline.zip",
16 "passrecenc.zip",
17 "progtools.zip",
18 "rdpv.zip",
19 "systools.zip",
20 "webbrowserpassview.zip"
21)
22
23by Filesystem.action Filesystem.dest Filesystem.file_access_time Filesystem.file_create_time
24 Filesystem.file_hash Filesystem.file_modify_time Filesystem.file_name Filesystem.file_path
25 Filesystem.file_acl Filesystem.file_size Filesystem.process_guid Filesystem.process_id
26 Filesystem.user Filesystem.vendor_product
27
28
29| `drop_dm_object_name("Filesystem")`
30
31| `security_content_ctime(firstTime)`
32
33| `security_content_ctime(lastTime)`
34
35| `windows_nirsoft_tool_bundle_file_created_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Sysmon EventID 11 |  Windows |
'XmlWinEventLog' |
'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' |
Macros Used
| Name | Value |
|---|---|
| security_content_ctime | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$) |
| windows_nirsoft_tool_bundle_file_created_filter | search * |
windows_nirsoft_tool_bundle_file_created_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
Weaponization
DE.AE
CIS 10
APT1
APT19
APT28
APT29
APT32
APT33
APT38
APT39
APT41
APT42
Aoqin Dragon
Aquatic Panda
BITTER
BRONZE BUTLER
BackdoorDiplomacy
BlackTech
Blue Mockingbird
Carbanak
Chimera
Cinnamon Tempest
Cleaver
Cobalt Group
Contagious Interview
CopyKittens
DarkHydrus
DarkVishnya
Dragonfly
Earth Lusca
FIN10
FIN13
FIN5
FIN6
FIN7
FIN8
Ferocious Kitten
GALLIUM
Gamaredon Group
Gorgon Group
HEXANE
INC Ransom
Inception
IndigoZebra
Ke3chang
Kimsuky
LAPSUS$
Lazarus Group
Leafminer
Lotus Blossom
LuminousMoth
Magic Hound
Medusa Group
Metador
Moses Staff
MuddyWater
Mustang Panda
OilRig
POLONIUM
Patchwork
PittyTiger
Play
Salt Typhoon
Sandworm Team
Scattered Spider
Sea Turtle
Silence
Silent Librarian
Star Blizzard
Storm-1811
TA2541
TA505
Threat Group-3390
Thrip
Turla
Volt Typhoon
WIRTE
Whitefly
Wizard Spider
menuPass
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Risk Event | True |
This configuration file applies to all detections of type anomaly. These detections will use Risk Based Alerting.
Implementation
To successfully implement this search, you must be ingesting data that records the file-system activity from your hosts to populate the Endpoint.Filesystem data model node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or by other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report file-system reads and writes.
Known False Positives
Administrators or users may download NirSoft tools for legitimate purposes, such as system maintenance or troubleshooting. These instances should be reviewed to determine if the activity is authorized.
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message:
NirSoft tool bundle file $file_name$ created on host $dest$
| Risk Object | Risk Object Type | Risk Score | Threat Objects |
|---|---|---|---|
| dest | system | 20 | No Threat Objects |
References
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | Not Applicable | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
XmlWinEventLog |
| Integration | ✅ Passing | Dataset | XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
XmlWinEventLog |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 1