← Back to SOC feed Coverage →

PUA - Nimgrab Execution

sigma HIGH SigmaHQ
T1105
imProcessCreate
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-17T11:00:00Z · Confidence: medium

Hunt Hypothesis

Detects the usage of nimgrab, a tool bundled with the Nim programming framework and used for downloading files.

Detection Rule

Sigma (Original)

title: PUA - Nimgrab Execution
id: 74a12f18-505c-4114-8d0b-8448dd5485c6
status: test
description: Detects the usage of nimgrab, a tool bundled with the Nim programming framework and used for downloading files.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md
author: frack113
date: 2022-08-28
modified: 2024-11-23
tags:
    - attack.command-and-control
    - attack.t1105
logsource:
    category: process_creation
    product: windows
detection:
    selection_name:
        Image|endswith: '\nimgrab.exe'
    selection_hashes:
        Hashes|contains:
            - MD5=2DD44C3C29D667F5C0EF5F9D7C7FFB8B
            - SHA256=F266609E91985F0FE3E31C5E8FAEEEC4FFA5E0322D8B6F15FE69F4C5165B9559
            - IMPHASH=C07FDDD21D123EA9B3A08EEF44AAAC45
    condition: 1 of selection_*
falsepositives:
    - Legitimate use of Nim on a developer systems
level: high

KQL (Azure Sentinel)

imProcessCreate
| where TargetProcessName endswith "\\nimgrab.exe" or (TargetProcessMD5 startswith "2DD44C3C29D667F5C0EF5F9D7C7FFB8B" or TargetProcessSHA256 startswith "F266609E91985F0FE3E31C5E8FAEEEC4FFA5E0322D8B6F15FE69F4C5165B9559" or TargetProcessIMPHASH startswith "C07FDDD21D123EA9B3A08EEF44AAAC45")

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_pua_nimgrab.yml