title: Windows Hacktool Imphash id: 24e3e58a-646b-4b50-adef-02ef935b9fc8 description: Detects the use of Windows hacktools based on their import hash (imphash) even if the files have been renamed status: experimental author: Florian Roth references: - Internal Research date: 2022/03/04 modified: 2022/03/16 logsource: category: process_creation product: windows detection: selection: - Imphash: - BCCA3C247B619DCD13C8CDFF5F123932 # PetitPotam - 3A19059BD7688CB88E70005F18EFC439 # PetitPotam - 9DA6D5D77BE11712527DCAB86DF449A3 # Mimikatz - A6E01BC1AB89F8D91D9EAB72032AAE88 # Mimikatz - D21BBC50DCC169D7B4D0F01962793154 # Mimikatz - 9528A0E91E28FBB88AD433FEABCA2456 # Mimikatz - 4C1B52A19748428E51B14C278D0F58E3 # Mimikatz - 725BB81DC24214F6ECACC0CFB36AD30D # Mimikatz - 672B13F4A0B6F27D29065123FE882DFC # Mimikatz - 0C106686A31BFE2BA931AE1CF6E9DBC6 # Mimikatz - 23867A89C2B8FC733BE6CF5EF902F2D1 # JuicyPotato - 9FB060C2977A9D9B782440B98D410C3E # RoguePotato - B18A1401FF8F444056D29450FBC0A6CE # Pwdump - 13F08707F759AF6003837A150A371BA1 # Pwdump - 749A7BB1F0B4C4455949C0B2BF7F9E9F # Pwdump - 94CB940A1A6B65BED4D5A8F849CE9793 # PwDumpX - 1781F06048A7E58B323F0B9259BE798B # Pwdump - CB567F9498452721D77A451374955F5F # Pwdump - 730073214094CD328547BF1F72289752 # Htran - 6EEFD92BFFBFB27F378B81C09CA96786 # Ncat - AC615FB1D93576FA3C26077A619C9144 # Ncat - DC25EE78E2EF4D36FAA0BADF1E7461C9 # Cobalt Strike beacons - 17B461A082950FC6332228572138B80C # Cobalt Strike beacons - C547F2E66061A8DFFB6F5A3FF63C0A74 # PPLDump - 0588081AB0E63BA785938467E1B10CCA # PPLDump - ADA161BF41B8E5E9132858CB54CAB5FB # DripLoader - 2A1BC4913CD5ECB0434DF07CB675B798 # DripLoader - 11083E75553BAAE21DC89CE8F9A195E4 # DripLoader - A23D29C9E566F2FA8FFBB79267F5DF80 # DripLoader - Hashes|contains: # Sysmon field hashes contains all types - IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932 # PetitPotam - IMPHASH=3A19059BD7688CB88E70005F18EFC439 # PetitPotam - IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3 # Mimikatz - IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88 # Mimikatz - IMPHASH=D21BBC50DCC169D7B4D0F01962793154 # Mimikatz - IMPHASH=9528A0E91E28FBB88AD433FEABCA2456 # Mimikatz - IMPHASH=4C1B52A19748428E51B14C278D0F58E3 # Mimikatz - IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D # Mimikatz - IMPHASH=672B13F4A0B6F27D29065123FE882DFC # Mimikatz - IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6 # Mimikatz - IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1 # JuicyPotato - IMPHASH=9FB060C2977A9D9B782440B98D410C3E # RoguePotato - IMPHASH=B18A1401FF8F444056D29450FBC0A6CE # Pwdump - IMPHASH=13F08707F759AF6003837A150A371BA1 # Pwdump - IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F # Pwdump - IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793 # PwDumpX - IMPHASH=1781F06048A7E58B323F0B9259BE798B # Pwdump - IMPHASH=CB567F9498452721D77A451374955F5F # Pwdump - IMPHASH=730073214094CD328547BF1F72289752 # Htran - IMPHASH=6EEFD92BFFBFB27F378B81C09CA96786 # Ncat - IMPHASH=AC615FB1D93576FA3C26077A619C9144 # Ncat - IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9 # Cobalt Strike beacons - IMPHASH=17B461A082950FC6332228572138B80C # Cobalt Strike beacons - IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74 # PPLDump - IMPHASH=0588081AB0E63BA785938467E1B10CCA # PPLDump - IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB # DripLoader - IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798 # DripLoader - IMPHASH=11083E75553BAAE21DC89CE8F9A195E4 # DripLoader - IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80 # DripLoader condition: selection falsepositives: - Legitimate use of one of these tools level: high