Grixba Malware Reconnaissance Activity

    Date: 11/28/2025

    Severity: High

    Summary

    Detects the use of the Grixba reconnaissance tool through characteristic command-line patterns. Grixba, employed by the Play ransomware group, supports pre-attack operations such as network scanning, data collection, and clearing of event logs.

    Indicators of Compromise (IOC) List

    Commandline

    '-m '

    '-mode '

    '-m:'

    '-mode:'

    '-i '

    '-input '

    '-i:'

    '-input:'

    'scan '

    'scanall '

    ':f '

    ':r '

    ':s '

    ' f '

    ' r '

    ' s '

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    resourcename = "Windows Security" AND eventtype = "4688" AND ((commandline like "-m " or commandline like "-mode " or commandline like "-m:" or commandline like  "-mode:") AND (commandline like "-i " or commandline like "-input " or commandline like "-i:" or commandline like "-input:") AND (commandline like "scan " or commandline like "scanall ") AND (commandline like ":f " or commandline like ":r " or commandline like ":s " or commandline like " f " or commandline like " r " or commandline like " s "))

    Detection Query 2 :

    technologygroup = "EDR" AND ((commandline like "-m " or commandline like "-mode " or commandline like "-m:" or commandline like  "-mode:") AND (commandline like "-i " or commandline like "-input " or commandline like "-i:" or commandline like "-input:") AND (commandline like "scan " or commandline like "scanall ") AND (commandline like ":f " or commandline like ":r " or commandline like ":s " or commandline like " f " or commandline like " r " or commandline like " s "))

    Reference: 

    https://github.com/SigmaHQ/sigma/blob/master/rules-emerging-threats/2025/Malware/Grixba/proc_creation_win_malware_grixba_recon.yml


    Tags

    SigmaMalwareGrixbaPlay RansomwareRansomware

    « Previous Article

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags