Grixba Malware Reconnaissance Activity

Rule Info

Name
Grixba Malware Reconnaissance Activity
Author
yxinmiracle, Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects execution of the Grixba reconnaissance tool based on suspicious command-line parameter combinations. This tool is used by the Play ransomware group for network enumeration, data gathering, and event log clearing.
Reference
https://fieldeffect.com/blog/grixba-play-ransomware-impersonates-sentinelone
Date
2025-11-26 00:00:00
Modified
None
Id
af688c76-4ce4-4309-bfdd-e896f01acf27
Tags
attack.reconnaissance attack.t1595.001 attack.discovery attack.t1046 detection.emerging-threats
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=af688c76-4ce4-4309-bfdd-e896f01acf27

Rule History

Author
Title
Date
Commit
YxinMiracle
Merge PR #5707 from @YxinMiracle - Add `Grixba Malware Reconnaissance Activity`
2025-11-28
238e6f070
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022