Florian Roth
78 lines
4.1 KiB
YAML
78 lines
4.1 KiB
YAML
title: Windows Hacktool Imphash
|
|
id: 24e3e58a-646b-4b50-adef-02ef935b9fc8
|
|
description: Detects the use of Windows hacktools based on their import hash (imphash) even if the files have been renamed
|
|
status: experimental
|
|
author: Florian Roth
|
|
references:
|
|
- Internal Research
|
|
date: 2022/03/04
|
|
modified: 2022/03/16
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
detection:
|
|
selection:
|
|
- Imphash:
|
|
- BCCA3C247B619DCD13C8CDFF5F123932 # PetitPotam
|
|
- 3A19059BD7688CB88E70005F18EFC439 # PetitPotam
|
|
- 9DA6D5D77BE11712527DCAB86DF449A3 # Mimikatz
|
|
- A6E01BC1AB89F8D91D9EAB72032AAE88 # Mimikatz
|
|
- D21BBC50DCC169D7B4D0F01962793154 # Mimikatz
|
|
- 9528A0E91E28FBB88AD433FEABCA2456 # Mimikatz
|
|
- 4C1B52A19748428E51B14C278D0F58E3 # Mimikatz
|
|
- 725BB81DC24214F6ECACC0CFB36AD30D # Mimikatz
|
|
- 672B13F4A0B6F27D29065123FE882DFC # Mimikatz
|
|
- 0C106686A31BFE2BA931AE1CF6E9DBC6 # Mimikatz
|
|
- 23867A89C2B8FC733BE6CF5EF902F2D1 # JuicyPotato
|
|
- 9FB060C2977A9D9B782440B98D410C3E # RoguePotato
|
|
- B18A1401FF8F444056D29450FBC0A6CE # Pwdump
|
|
- 13F08707F759AF6003837A150A371BA1 # Pwdump
|
|
- 749A7BB1F0B4C4455949C0B2BF7F9E9F # Pwdump
|
|
- 94CB940A1A6B65BED4D5A8F849CE9793 # PwDumpX
|
|
- 1781F06048A7E58B323F0B9259BE798B # Pwdump
|
|
- CB567F9498452721D77A451374955F5F # Pwdump
|
|
- 730073214094CD328547BF1F72289752 # Htran
|
|
- 6EEFD92BFFBFB27F378B81C09CA96786 # Ncat
|
|
- AC615FB1D93576FA3C26077A619C9144 # Ncat
|
|
- DC25EE78E2EF4D36FAA0BADF1E7461C9 # Cobalt Strike beacons
|
|
- 17B461A082950FC6332228572138B80C # Cobalt Strike beacons
|
|
- C547F2E66061A8DFFB6F5A3FF63C0A74 # PPLDump
|
|
- 0588081AB0E63BA785938467E1B10CCA # PPLDump
|
|
- ADA161BF41B8E5E9132858CB54CAB5FB # DripLoader
|
|
- 2A1BC4913CD5ECB0434DF07CB675B798 # DripLoader
|
|
- 11083E75553BAAE21DC89CE8F9A195E4 # DripLoader
|
|
- A23D29C9E566F2FA8FFBB79267F5DF80 # DripLoader
|
|
- Hashes|contains: # Sysmon field hashes contains all types
|
|
- IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932 # PetitPotam
|
|
- IMPHASH=3A19059BD7688CB88E70005F18EFC439 # PetitPotam
|
|
- IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3 # Mimikatz
|
|
- IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88 # Mimikatz
|
|
- IMPHASH=D21BBC50DCC169D7B4D0F01962793154 # Mimikatz
|
|
- IMPHASH=9528A0E91E28FBB88AD433FEABCA2456 # Mimikatz
|
|
- IMPHASH=4C1B52A19748428E51B14C278D0F58E3 # Mimikatz
|
|
- IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D # Mimikatz
|
|
- IMPHASH=672B13F4A0B6F27D29065123FE882DFC # Mimikatz
|
|
- IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6 # Mimikatz
|
|
- IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1 # JuicyPotato
|
|
- IMPHASH=9FB060C2977A9D9B782440B98D410C3E # RoguePotato
|
|
- IMPHASH=B18A1401FF8F444056D29450FBC0A6CE # Pwdump
|
|
- IMPHASH=13F08707F759AF6003837A150A371BA1 # Pwdump
|
|
- IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F # Pwdump
|
|
- IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793 # PwDumpX
|
|
- IMPHASH=1781F06048A7E58B323F0B9259BE798B # Pwdump
|
|
- IMPHASH=CB567F9498452721D77A451374955F5F # Pwdump
|
|
- IMPHASH=730073214094CD328547BF1F72289752 # Htran
|
|
- IMPHASH=6EEFD92BFFBFB27F378B81C09CA96786 # Ncat
|
|
- IMPHASH=AC615FB1D93576FA3C26077A619C9144 # Ncat
|
|
- IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9 # Cobalt Strike beacons
|
|
- IMPHASH=17B461A082950FC6332228572138B80C # Cobalt Strike beacons
|
|
- IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74 # PPLDump
|
|
- IMPHASH=0588081AB0E63BA785938467E1B10CCA # PPLDump
|
|
- IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB # DripLoader
|
|
- IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798 # DripLoader
|
|
- IMPHASH=11083E75553BAAE21DC89CE8F9A195E4 # DripLoader
|
|
- IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80 # DripLoader
|
|
condition: selection
|
|
falsepositives:
|
|
- Legitimate use of one of these tools
|
|
level: high |