100 Days of YARA – Day 45: Generic NirSoft Tools

On By DanielIn 100 days of Yara

Unfortunately, NirSoft tools are abused by malicious entities, often bundled with malware or purposefully placed on compromised systems to glean additional information. Attackers abuse these tools to dump passwords from browsers, email clients, and those held within the registry.

As such, the presence of NirSoft tools on a system is noteworthy. Hits on this rule often yield false-positive results but may reveal malicious activity.

This rule is generic and future-proof because it will almost certainly match additional tools developed by NirSoft that haven’t been released yet.

rule nirsoft_generic
{
	meta:
		description = "Generic catch-all for NirSoft tools"

	strings:
		$ = "NirSoft" ascii wide

	condition:
		all of them
}

YARA Rules Index

One thought on “100 Days of YARA – Day 45: Generic NirSoft Tools

  1. Pingback: Week 06 – 2022 – This Week In 4n6

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s