Detects the execution of different Windows based hacktools via their import hash (imphash) even if the files have been renamed
title: Hacktool Execution - Imphash
id: 24e3e58a-646b-4b50-adef-02ef935b9fc8
status: test
description: Detects the execution of different Windows based hacktools via their import hash (imphash) even if the files have been renamed
references:
- Internal Research
author: Florian Roth (Nextron Systems)
date: 2022-03-04
modified: 2024-11-23
tags:
- attack.credential-access
- attack.resource-development
- attack.t1588.002
- attack.t1003
logsource:
category: process_creation
product: windows
detection:
selection:
Hashes|contains: # Sysmon field hashes contains all types
- IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932 # PetitPotam
- IMPHASH=3A19059BD7688CB88E70005F18EFC439 # PetitPotam
- IMPHASH=bf6223a49e45d99094406777eb6004ba # PetitPotam
- IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1 # JuicyPotato
- IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC # JuicyPotato
- IMPHASH=F9A28C458284584A93B14216308D31BD # JuicyPotatoNG
- IMPHASH=6118619783FC175BC7EBECFF0769B46E # RoguePotato
- IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA # RoguePotato
- IMPHASH=563233BFA169ACC7892451F71AD5850A # RoguePotato
- IMPHASH=87575CB7A0E0700EB37F2E3668671A08 # RoguePotato
- IMPHASH=13F08707F759AF6003837A150A371BA1 # Pwdump
- IMPHASH=1781F06048A7E58B323F0B9259BE798B # Pwdump
- IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5 # Pwdump
- IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D # Pwdump
- IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2 # Pwdump
- IMPHASH=713C29B396B907ED71A72482759ED757 # Pwdump
- IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F # Pwdump
- IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E # Pwdump
- IMPHASH=8B114550386E31895DFAB371E741123D # Pwdump
- IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793 # PwDumpX
- IMPHASH=9D68781980370E00E0BD939EE5E6C141 # Pwdump
- IMPHASH=B18A1401FF8F444056D29450FBC0A6CE # Pwdump
- IMPHASH=CB567F9498452721D77A451374955F5F # Pwdump
- IMPHASH=730073214094CD328547BF1F72289752 # Htran
- IMPHASH=17B461A082950FC6332228572138B80C # Cobalt Strike beacons
- IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9 # Cobalt Strike beacons
- IMPHASH=819B19D53CA6736448F9325A85736792 # Cobalt Strike beacons
- IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E # Cobalt Strike beacons
- IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74 # PPLDump
- IMPHASH=0588081AB0E63BA785938467E1B10CCA # PPLDump
- IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C # NanoDump
- IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29 # NanoDump
- IMPHASH=4DA924CF622D039D58BCE71CDF05D242 # NanoDump
- IMPHASH=E7A3A5C377E2D29324093377D7DB1C66 # NanoDump
- IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF # NanoDump
- IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE # NanoDump
- IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4 # NanoDump
- IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338 # NanoDump
- IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E # NanoDump
- IMPHASH=E6F9D5152DA699934B30DAAB206471F6 # NanoDump
- IMPHASH=3AD59991CCF1D67339B319B15A41B35D # NanoDump
- IMPHASH=FFDD59E0318B85A3E480874D9796D872 # NanoDump
- IMPHASH=0CF479628D7CC1EA25EC7998A92F5051 # NanoDump
- IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51 # NanoDump
- IMPHASH=D6D0F80386E1380D05CB78E871BC72B1 # NanoDump
- IMPHASH=38D9E015591BBFD4929E0D0F47FA0055 # HandleKatz
- IMPHASH=0E2216679CA6E1094D63322E3412D650 # HandleKatz
- IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB # DripLoader
- IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798 # DripLoader
- IMPHASH=11083E75553BAAE21DC89CE8F9A195E4 # DripLoader
- IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80 # DripLoader
- IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F # CreateMiniDump
- IMPHASH=767637C23BB42CD5D7397CF58B0BE688 # UACMe Akagi
- IMPHASH=14C4E4C72BA075E9069EE67F39188AD8 # UACMe Akagi
- IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC # UACMe Akagi
- IMPHASH=7D010C6BB6A3726F327F7E239166D127 # UACMe Akagi
- IMPHASH=89159BA4DD04E4CE5559F132A9964EB3 # UACMe Akagi
- IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F # UACMe Akagi
- IMPHASH=5834ED4291BDEB928270428EBBAF7604 # UACMe Akagi
- IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38 # UACMe Akagi
- IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894 # UACMe Akagi
- IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74 # UACMe Akagi
- IMPHASH=3DE09703C8E79ED2CA3F01074719906B # UACMe Akagi
- IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F # WCE
- IMPHASH=E96A73C7BF33A464C510EDE582318BF2 # WCE
- IMPHASH=32089B8851BBF8BC2D014E9F37288C83 # Sliver Stagers
- IMPHASH=09D278F9DE118EF09163C6140255C690 # Dumpert
- IMPHASH=03866661686829d806989e2fc5a72606 # Dumpert
- IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d # Dumpert
- IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte
- IMPHASH=19584675D94829987952432E018D5056 # SysmonQuiet
- IMPHASH=330768A4F172E10ACB6287B87289D83B # ShaprEvtMute Hook
- IMPHASH=885C99CCFBE77D1CBFCB9C4E7C1A3313 # Forkatz
- IMPHASH=22A22BC9E4E0D2F189F1EA01748816AC # PPLKiller
- IMPHASH=7FA30E6BB7E8E8A69155636E50BF1B28 # PPLKiller
- IMPHASH=96DF3A3731912449521F6F8D183279B1 # Backstab
- IMPHASH=7E6CF3FF4576581271AC8A313B2AAB46 # Backstab
- IMPHASH=51791678F351C03A0EB4E2A7B05C6E17 # Backstab
- IMPHASH=25CE42B079282632708FC846129E98A5 # Forensia
- IMPHASH=021BCCA20BA3381B11BDDE26B4E62F20 # EDRSandBlast
- IMPHASH=59223B5F52D8799D38E0754855CBDF42 # EDRSandBlast
- IMPHASH=81E75D8F1D276C156653D3D8813E4A43 # EDRSandBlast
- IMPHASH=17244E8B6B8227E57FE709CCAD421420 # EDRSandBlast
- IMPHASH=5B76DA3ACDEDC8A5CDF23A798B5936B4 # EDRSandBlast
- IMPHASH=CB2B65BB77D995CC1C0E5DF1C860133C # EDRSandBlast
- IMPHASH=40445337761D80CF465136FAFB1F63E6 # EDRSandBlast
- IMPHASH=8A790F401B29FA87BC1E56F7272B3AA6 # EDRSilencer
- IMPHASH=B50199E952C875241B9CE06C971CE3C1 # EventLogCrasher
condition: selection
falsepositives:
- Legitimate use of one of these tools
level: critical
imProcessCreate
| where TargetProcessIMPHASH startswith "BCCA3C247B619DCD13C8CDFF5F123932" or TargetProcessIMPHASH startswith "3A19059BD7688CB88E70005F18EFC439" or TargetProcessIMPHASH startswith "bf6223a49e45d99094406777eb6004ba" or TargetProcessIMPHASH startswith "23867A89C2B8FC733BE6CF5EF902F2D1" or TargetProcessIMPHASH startswith "A37FF327F8D48E8A4D2F757E1B6E70BC" or TargetProcessIMPHASH startswith "F9A28C458284584A93B14216308D31BD" or TargetProcessIMPHASH startswith "6118619783FC175BC7EBECFF0769B46E" or TargetProcessIMPHASH startswith "959A83047E80AB68B368FDB3F4C6E4EA" or TargetProcessIMPHASH startswith "563233BFA169ACC7892451F71AD5850A" or TargetProcessIMPHASH startswith "87575CB7A0E0700EB37F2E3668671A08" or TargetProcessIMPHASH startswith "13F08707F759AF6003837A150A371BA1" or TargetProcessIMPHASH startswith "1781F06048A7E58B323F0B9259BE798B" or TargetProcessIMPHASH startswith "233F85F2D4BC9D6521A6CAAE11A1E7F5" or TargetProcessIMPHASH startswith "24AF2584CBF4D60BBE5C6D1B31B3BE6D" or TargetProcessIMPHASH startswith "632969DDF6DBF4E0F53424B75E4B91F2" or TargetProcessIMPHASH startswith "713C29B396B907ED71A72482759ED757" or TargetProcessIMPHASH startswith "749A7BB1F0B4C4455949C0B2BF7F9E9F" or TargetProcessIMPHASH startswith "8628B2608957A6B0C6330AC3DE28CE2E" or TargetProcessIMPHASH startswith "8B114550386E31895DFAB371E741123D" or TargetProcessIMPHASH startswith "94CB940A1A6B65BED4D5A8F849CE9793" or TargetProcessIMPHASH startswith "9D68781980370E00E0BD939EE5E6C141" or TargetProcessIMPHASH startswith "B18A1401FF8F444056D29450FBC0A6CE" or TargetProcessIMPHASH startswith "CB567F9498452721D77A451374955F5F" or TargetProcessIMPHASH startswith "730073214094CD328547BF1F72289752" or TargetProcessIMPHASH startswith "17B461A082950FC6332228572138B80C" or TargetProcessIMPHASH startswith "DC25EE78E2EF4D36FAA0BADF1E7461C9" or TargetProcessIMPHASH startswith "819B19D53CA6736448F9325A85736792" or TargetProcessIMPHASH startswith "829DA329CE140D873B4A8BDE2CBFAA7E" or TargetProcessIMPHASH startswith "C547F2E66061A8DFFB6F5A3FF63C0A74" or TargetProcessIMPHASH startswith "0588081AB0E63BA785938467E1B10CCA" or TargetProcessIMPHASH startswith "0D9EC08BAC6C07D9987DFD0F1506587C" or TargetProcessIMPHASH startswith "BC129092B71C89B4D4C8CDF8EA590B29" or TargetProcessIMPHASH startswith "4DA924CF622D039D58BCE71CDF05D242" or TargetProcessIMPHASH startswith "E7A3A5C377E2D29324093377D7DB1C66" or TargetProcessIMPHASH startswith "9A9DBEC5C62F0380B4FA5FD31DEFFEDF" or TargetProcessIMPHASH startswith "AF8A3976AD71E5D5FDFB67DDB8DADFCE" or TargetProcessIMPHASH startswith "0C477898BBF137BBD6F2A54E3B805FF4" or TargetProcessIMPHASH startswith "0CA9F02B537BCEA20D4EA5EB1A9FE338" or TargetProcessIMPHASH startswith "3AB3655E5A14D4EEFC547F4781BF7F9E" or TargetProcessIMPHASH startswith "E6F9D5152DA699934B30DAAB206471F6" or TargetProcessIMPHASH startswith "3AD59991CCF1D67339B319B15A41B35D" or TargetProcessIMPHASH startswith "FFDD59E0318B85A3E480874D9796D872" or TargetProcessIMPHASH startswith "0CF479628D7CC1EA25EC7998A92F5051" or TargetProcessIMPHASH startswith "07A2D4DCBD6CB2C6A45E6B101F0B6D51" or TargetProcessIMPHASH startswith "D6D0F80386E1380D05CB78E871BC72B1" or TargetProcessIMPHASH startswith "38D9E015591BBFD4929E0D0F47FA0055" or TargetProcessIMPHASH startswith "0E2216679CA6E1094D63322E3412D650" or TargetProcessIMPHASH startswith "ADA161BF41B8E5E9132858CB54CAB5FB" or TargetProcessIMPHASH startswith "2A1BC4913CD5ECB0434DF07CB675B798" or TargetProcessIMPHASH startswith "11083E75553BAAE21DC89CE8F9A195E4" or TargetProcessIMPHASH startswith "A23D29C9E566F2FA8FFBB79267F5DF80" or TargetProcessIMPHASH startswith "4A07F944A83E8A7C2525EFA35DD30E2F" or TargetProcessIMPHASH startswith "767637C23BB42CD5D7397CF58B0BE688" or TargetProcessIMPHASH startswith "14C4E4C72BA075E9069EE67F39188AD8" or TargetProcessIMPHASH startswith "3C782813D4AFCE07BBFC5A9772ACDBDC" or TargetProcessIMPHASH startswith "7D010C6BB6A3726F327F7E239166D127" or TargetProcessIMPHASH startswith "89159BA4DD04E4CE5559F132A9964EB3" or TargetProcessIMPHASH startswith "6F33F4A5FC42B8CEC7314947BD13F30F" or TargetProcessIMPHASH startswith "5834ED4291BDEB928270428EBBAF7604" or TargetProcessIMPHASH startswith "5A8A8A43F25485E7EE1B201EDCBC7A38" or TargetProcessIMPHASH startswith "DC7D30B90B2D8ABF664FBED2B1B59894" or TargetProcessIMPHASH startswith "41923EA1F824FE63EA5BEB84DB7A3E74" or TargetProcessIMPHASH startswith "3DE09703C8E79ED2CA3F01074719906B" or TargetProcessIMPHASH startswith "A53A02B997935FD8EEDCB5F7ABAB9B9F" or TargetProcessIMPHASH startswith "E96A73C7BF33A464C510EDE582318BF2" or TargetProcessIMPHASH startswith "32089B8851BBF8BC2D014E9F37288C83" or TargetProcessIMPHASH startswith "09D278F9DE118EF09163C6140255C690" or TargetProcessIMPHASH startswith "03866661686829d806989e2fc5a72606" or TargetProcessIMPHASH startswith "e57401fbdadcd4571ff385ab82bd5d6d" or TargetProcessIMPHASH startswith "84B763C45C0E4A3E7CA5548C710DB4EE" or TargetProcessIMPHASH startswith "19584675D94829987952432E018D5056" or TargetProcessIMPHASH startswith "330768A4F172E10ACB6287B87289D83B" or TargetProcessIMPHASH startswith "885C99CCFBE77D1CBFCB9C4E7C1A3313" or TargetProcessIMPHASH startswith "22A22BC9E4E0D2F189F1EA01748816AC" or TargetProcessIMPHASH startswith "7FA30E6BB7E8E8A69155636E50BF1B28" or TargetProcessIMPHASH startswith "96DF3A3731912449521F6F8D183279B1" or TargetProcessIMPHASH startswith "7E6CF3FF4576581271AC8A313B2AAB46" or TargetProcessIMPHASH startswith "51791678F351C03A0EB4E2A7B05C6E17" or TargetProcessIMPHASH startswith "25CE42B079282632708FC846129E98A5" or TargetProcessIMPHASH startswith "021BCCA20BA3381B11BDDE26B4E62F20" or TargetProcessIMPHASH startswith "59223B5F52D8799D38E0754855CBDF42" or TargetProcessIMPHASH startswith "81E75D8F1D276C156653D3D8813E4A43" or TargetProcessIMPHASH startswith "17244E8B6B8227E57FE709CCAD421420" or TargetProcessIMPHASH startswith "5B76DA3ACDEDC8A5CDF23A798B5936B4" or TargetProcessIMPHASH startswith "CB2B65BB77D995CC1C0E5DF1C860133C" or TargetProcessIMPHASH startswith "40445337761D80CF465136FAFB1F63E6" or TargetProcessIMPHASH startswith "8A790F401B29FA87BC1E56F7272B3AA6" or TargetProcessIMPHASH startswith "B50199E952C875241B9CE06C971CE3C1"| Sentinel Table | Notes |
|---|---|
imProcessCreate | Ensure this data connector is enabled |