100 Days of YARA – Day 45: Generic NirSoft Tools

Unfortunately, NirSoft tools are abused by malicious entities, often bundled with malware or purposefully placed on compromised systems to glean additional information. Attackers abuse these tools to dump passwords from browsers, email clients, and those held within the registry.

As such, the presence of NirSoft tools on a system is noteworthy. Hits on this rule often yield false-positive results but may reveal malicious activity.

This rule is generic and future-proof because it will almost certainly match additional tools developed by NirSoft that haven’t been released yet.

rule nirsoft_generic
		description = "Generic catch-all for NirSoft tools"

		$ = "NirSoft" ascii wide

		all of them

YARA Rules Index

One thought on “100 Days of YARA – Day 45: Generic NirSoft Tools

  1. Pingback: Week 06 – 2022 – This Week In 4n6

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s