Date: 11/28/2025
Severity: High
Summary
Detects the use of the Grixba reconnaissance tool through characteristic command-line patterns. Grixba, employed by the Play ransomware group, supports pre-attack operations such as network scanning, data collection, and clearing of event logs.
Indicators of Compromise (IOC) List
Commandline | '-m ' '-mode ' '-m:' '-mode:' '-i ' '-input ' '-i:' '-input:' 'scan ' 'scanall ' ':f ' ':r ' ':s ' ' f ' ' r ' ' s ' |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | resourcename = "Windows Security" AND eventtype = "4688" AND ((commandline like "-m " or commandline like "-mode " or commandline like "-m:" or commandline like "-mode:") AND (commandline like "-i " or commandline like "-input " or commandline like "-i:" or commandline like "-input:") AND (commandline like "scan " or commandline like "scanall ") AND (commandline like ":f " or commandline like ":r " or commandline like ":s " or commandline like " f " or commandline like " r " or commandline like " s ")) |
Detection Query 2 : | technologygroup = "EDR" AND ((commandline like "-m " or commandline like "-mode " or commandline like "-m:" or commandline like "-mode:") AND (commandline like "-i " or commandline like "-input " or commandline like "-i:" or commandline like "-input:") AND (commandline like "scan " or commandline like "scanall ") AND (commandline like ":f " or commandline like ":r " or commandline like ":s " or commandline like " f " or commandline like " r " or commandline like " s ")) |
Reference:
https://github.com/SigmaHQ/sigma/blob/master/rules-emerging-threats/2025/Malware/Grixba/proc_creation_win_malware_grixba_recon.yml