blue-team-tools/rules/windows/process_creation/proc_creation_win_hacktool_imphashes.yml

title: Windows Hacktool Imphash
id: 24e3e58a-646b-4b50-adef-02ef935b9fc8
description: Detects the use of Windows hacktools based on their import hash (imphash) even if the files have been renamed
status: experimental
author: Florian Roth
references:
    - Internal Research
date: 2022/03/04
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Imphash: 
            - bcca3c247b619dcd13c8cdff5f123932 # PetitPotam
            - 3a19059bd7688cb88e70005f18efc439 # PetitPotam
            - 9da6d5d77be11712527dcab86df449a3 # Mimikatz
            - a6e01bc1ab89f8d91d9eab72032aae88 # Mimikatz
            - d21bbc50dcc169d7b4d0f01962793154 # Mimikatz
            - 9528a0e91e28fbb88ad433feabca2456 # Mimikatz
            - 4c1b52a19748428e51b14c278d0f58e3 # Mimikatz
            - 725bb81dc24214f6ecacc0cfb36ad30d # Mimikatz
            - 672b13f4a0b6f27d29065123fe882dfc # Mimikatz
            - 0c106686a31bfe2ba931ae1cf6e9dbc6 # Mimikatz
            - 23867a89c2b8fc733be6cf5ef902f2d1 # JuicyPotato 
            - 9fb060c2977a9d9b782440b98d410c3e # RoguePotato
            - b18a1401ff8f444056d29450fbc0a6ce # Pwdump
            - 13f08707f759af6003837a150a371ba1 # Pwdump
            - 749a7bb1f0b4c4455949c0b2bf7f9e9f # Pwdump
            - 94cb940a1a6b65bed4d5a8f849ce9793 # PwDumpX
            - 1781f06048a7e58b323f0b9259be798b # Pwdump
            - cb567f9498452721d77a451374955f5f # Pwdump
            - 730073214094cd328547bf1f72289752 # Htran
            - 6eefd92bffbfb27f378b81c09ca96786 # Ncat
            - ac615fb1d93576fa3c26077a619c9144 # Ncat
            - dc25ee78e2ef4d36faa0badf1e7461c9 # Cobalt Strike beacons
            - 17b461a082950fc6332228572138b80c # Cobalt Strike beacons
            - c547f2e66061a8dffb6f5a3ff63c0a74 # PPLDump
            - 0588081ab0e63ba785938467e1b10cca # PPLDump
        - Hashes|contains:  # Sysmon field hashes contains all types
            - IMPHASH=bcca3c247b619dcd13c8cdff5f123932 # PetitPotam
            - IMPHASH=3a19059bd7688cb88e70005f18efc439 # PetitPotam
            - IMPHASH=9da6d5d77be11712527dcab86df449a3 # Mimikatz
            - IMPHASH=a6e01bc1ab89f8d91d9eab72032aae88 # Mimikatz
            - IMPHASH=d21bbc50dcc169d7b4d0f01962793154 # Mimikatz
            - IMPHASH=9528a0e91e28fbb88ad433feabca2456 # Mimikatz
            - IMPHASH=4c1b52a19748428e51b14c278d0f58e3 # Mimikatz
            - IMPHASH=725bb81dc24214f6ecacc0cfb36ad30d # Mimikatz
            - IMPHASH=672b13f4a0b6f27d29065123fe882dfc # Mimikatz
            - IMPHASH=0c106686a31bfe2ba931ae1cf6e9dbc6 # Mimikatz
            - IMPHASH=23867a89c2b8fc733be6cf5ef902f2d1 # JuicyPotato 
            - IMPHASH=9fb060c2977a9d9b782440b98d410c3e # RoguePotato
            - IMPHASH=b18a1401ff8f444056d29450fbc0a6ce # Pwdump
            - IMPHASH=13f08707f759af6003837a150a371ba1 # Pwdump
            - IMPHASH=749a7bb1f0b4c4455949c0b2bf7f9e9f # Pwdump
            - IMPHASH=94cb940a1a6b65bed4d5a8f849ce9793 # PwDumpX
            - IMPHASH=1781f06048a7e58b323f0b9259be798b # Pwdump
            - IMPHASH=cb567f9498452721d77a451374955f5f # Pwdump
            - IMPHASH=730073214094cd328547bf1f72289752 # Htran
            - IMPHASH=6eefd92bffbfb27f378b81c09ca96786 # Ncat
            - IMPHASH=ac615fb1d93576fa3c26077a619c9144 # Ncat
            - IMPHASH=dc25ee78e2ef4d36faa0badf1e7461c9 # Cobalt Strike beacons
            - IMPHASH=17b461a082950fc6332228572138b80c # Cobalt Strike beacons
            - IMPHASH=c547f2e66061a8dffb6f5a3ff63c0a74 # PPLDump
            - IMPHASH=0588081ab0e63ba785938467e1b10cca # PPLDump
    condition: selection
falsepositives:
    - Legitimate use of one of these tools
level: high