detection.wiki

Detection rules › Sigma

Hacktool Execution - Imphash

Severity
critical
Author
Florian Roth (Nextron Systems)
Source
upstream

Detects the execution of different Windows based hacktools via their import hash (imphash) even if the files have been renamed

MITRE ATT&CK coverage

TacticTechniques
Resource DevelopmentT1588.002 Obtain Capabilities: Tool
Credential AccessT1003 OS Credential Dumping

Event coverage

ProviderEvent IDTitle
Sysmon1Process creation

Stages and Predicates

Stage 1: selection

or:
Hashes|contains: 'IMPHASH=021BCCA20BA3381B11BDDE26B4E62F20'
Hashes|contains: 'IMPHASH=03866661686829d806989e2fc5a72606'
Hashes|contains: 'IMPHASH=0588081AB0E63BA785938467E1B10CCA'
Hashes|contains: 'IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51'
Hashes|contains: 'IMPHASH=09D278F9DE118EF09163C6140255C690'
Hashes|contains: 'IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4'
Hashes|contains: 'IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338'
Hashes|contains: 'IMPHASH=0CF479628D7CC1EA25EC7998A92F5051'
Hashes|contains: 'IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C'
Hashes|contains: 'IMPHASH=0E2216679CA6E1094D63322E3412D650'
Hashes|contains: 'IMPHASH=11083E75553BAAE21DC89CE8F9A195E4'
Hashes|contains: 'IMPHASH=13F08707F759AF6003837A150A371BA1'
Hashes|contains: 'IMPHASH=14C4E4C72BA075E9069EE67F39188AD8'
Hashes|contains: 'IMPHASH=17244E8B6B8227E57FE709CCAD421420'
Hashes|contains: 'IMPHASH=1781F06048A7E58B323F0B9259BE798B'
Hashes|contains: 'IMPHASH=17B461A082950FC6332228572138B80C'
Hashes|contains: 'IMPHASH=19584675D94829987952432E018D5056'
Hashes|contains: 'IMPHASH=22A22BC9E4E0D2F189F1EA01748816AC'
Hashes|contains: 'IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5'
Hashes|contains: 'IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1'
Hashes|contains: 'IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D'
Hashes|contains: 'IMPHASH=25CE42B079282632708FC846129E98A5'
Hashes|contains: 'IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798'
Hashes|contains: 'IMPHASH=32089B8851BBF8BC2D014E9F37288C83'
Hashes|contains: 'IMPHASH=330768A4F172E10ACB6287B87289D83B'
Hashes|contains: 'IMPHASH=38D9E015591BBFD4929E0D0F47FA0055'
Hashes|contains: 'IMPHASH=3A19059BD7688CB88E70005F18EFC439'
Hashes|contains: 'IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E'
Hashes|contains: 'IMPHASH=3AD59991CCF1D67339B319B15A41B35D'
Hashes|contains: 'IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC'
Hashes|contains: 'IMPHASH=3DE09703C8E79ED2CA3F01074719906B'
Hashes|contains: 'IMPHASH=40445337761D80CF465136FAFB1F63E6'
Hashes|contains: 'IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74'
Hashes|contains: 'IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F'
Hashes|contains: 'IMPHASH=4DA924CF622D039D58BCE71CDF05D242'
Hashes|contains: 'IMPHASH=51791678F351C03A0EB4E2A7B05C6E17'
Hashes|contains: 'IMPHASH=563233BFA169ACC7892451F71AD5850A'
Hashes|contains: 'IMPHASH=5834ED4291BDEB928270428EBBAF7604'
Hashes|contains: 'IMPHASH=59223B5F52D8799D38E0754855CBDF42'
Hashes|contains: 'IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38'
Hashes|contains: 'IMPHASH=5B76DA3ACDEDC8A5CDF23A798B5936B4'
Hashes|contains: 'IMPHASH=6118619783FC175BC7EBECFF0769B46E'
Hashes|contains: 'IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2'
Hashes|contains: 'IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F'
Hashes|contains: 'IMPHASH=713C29B396B907ED71A72482759ED757'
Hashes|contains: 'IMPHASH=730073214094CD328547BF1F72289752'
Hashes|contains: 'IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F'
Hashes|contains: 'IMPHASH=767637C23BB42CD5D7397CF58B0BE688'
Hashes|contains: 'IMPHASH=7D010C6BB6A3726F327F7E239166D127'
Hashes|contains: 'IMPHASH=7E6CF3FF4576581271AC8A313B2AAB46'
Hashes|contains: 'IMPHASH=7FA30E6BB7E8E8A69155636E50BF1B28'
Hashes|contains: 'IMPHASH=819B19D53CA6736448F9325A85736792'
Hashes|contains: 'IMPHASH=81E75D8F1D276C156653D3D8813E4A43'
Hashes|contains: 'IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E'
Hashes|contains: 'IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE'
Hashes|contains: 'IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E'
Hashes|contains: 'IMPHASH=87575CB7A0E0700EB37F2E3668671A08'
Hashes|contains: 'IMPHASH=885C99CCFBE77D1CBFCB9C4E7C1A3313'
Hashes|contains: 'IMPHASH=89159BA4DD04E4CE5559F132A9964EB3'
Hashes|contains: 'IMPHASH=8A790F401B29FA87BC1E56F7272B3AA6'
Hashes|contains: 'IMPHASH=8B114550386E31895DFAB371E741123D'
Hashes|contains: 'IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793'
Hashes|contains: 'IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA'
Hashes|contains: 'IMPHASH=96DF3A3731912449521F6F8D183279B1'
Hashes|contains: 'IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF'
Hashes|contains: 'IMPHASH=9D68781980370E00E0BD939EE5E6C141'
Hashes|contains: 'IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80'
Hashes|contains: 'IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC'
Hashes|contains: 'IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F'
Hashes|contains: 'IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB'
Hashes|contains: 'IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE'
Hashes|contains: 'IMPHASH=B18A1401FF8F444056D29450FBC0A6CE'
Hashes|contains: 'IMPHASH=B50199E952C875241B9CE06C971CE3C1'
Hashes|contains: 'IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29'
Hashes|contains: 'IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932'
Hashes|contains: 'IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74'
Hashes|contains: 'IMPHASH=CB2B65BB77D995CC1C0E5DF1C860133C'
Hashes|contains: 'IMPHASH=CB567F9498452721D77A451374955F5F'
Hashes|contains: 'IMPHASH=D6D0F80386E1380D05CB78E871BC72B1'
Hashes|contains: 'IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9'
Hashes|contains: 'IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894'
Hashes|contains: 'IMPHASH=E6F9D5152DA699934B30DAAB206471F6'
Hashes|contains: 'IMPHASH=E7A3A5C377E2D29324093377D7DB1C66'
Hashes|contains: 'IMPHASH=E96A73C7BF33A464C510EDE582318BF2'
Hashes|contains: 'IMPHASH=F9A28C458284584A93B14216308D31BD'
Hashes|contains: 'IMPHASH=FFDD59E0318B85A3E480874D9796D872'
Hashes|contains: 'IMPHASH=bf6223a49e45d99094406777eb6004ba'
Hashes|contains: 'IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Hashesmatch
  • IMPHASH=021BCCA20BA3381B11BDDE26B4E62F20 corpus 2 (sigma 2)
  • IMPHASH=03866661686829d806989e2fc5a72606 corpus 2 (sigma 2)
  • IMPHASH=0588081AB0E63BA785938467E1B10CCA corpus 2 (sigma 2)
  • IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51 corpus 2 (sigma 2)
  • IMPHASH=09D278F9DE118EF09163C6140255C690 corpus 2 (sigma 2)
  • IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4 corpus 2 (sigma 2)
  • IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338 corpus 2 (sigma 2)
  • IMPHASH=0CF479628D7CC1EA25EC7998A92F5051 corpus 2 (sigma 2)
  • IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C corpus 2 (sigma 2)
  • IMPHASH=0E2216679CA6E1094D63322E3412D650 corpus 3 (sigma 3)
  • IMPHASH=11083E75553BAAE21DC89CE8F9A195E4 corpus 2 (sigma 2)
  • IMPHASH=13F08707F759AF6003837A150A371BA1 corpus 2 (sigma 2)
  • IMPHASH=14C4E4C72BA075E9069EE67F39188AD8 corpus 3 (sigma 3)
  • IMPHASH=17244E8B6B8227E57FE709CCAD421420 corpus 2 (sigma 2)
  • IMPHASH=1781F06048A7E58B323F0B9259BE798B corpus 2 (sigma 2)
  • IMPHASH=17B461A082950FC6332228572138B80C corpus 2 (sigma 2)
  • IMPHASH=19584675D94829987952432E018D5056 corpus 2 (sigma 2)
  • IMPHASH=22A22BC9E4E0D2F189F1EA01748816AC corpus 2 (sigma 2)
  • IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5 corpus 2 (sigma 2)
  • IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1 corpus 2 (sigma 2)
  • IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D corpus 2 (sigma 2)
  • IMPHASH=25CE42B079282632708FC846129E98A5 corpus 2 (sigma 2)
  • IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798 corpus 2 (sigma 2)
  • IMPHASH=32089B8851BBF8BC2D014E9F37288C83 corpus 2 (sigma 2)
  • IMPHASH=330768A4F172E10ACB6287B87289D83B corpus 3 (sigma 3)
  • IMPHASH=38D9E015591BBFD4929E0D0F47FA0055 corpus 3 (sigma 3)
  • IMPHASH=3A19059BD7688CB88E70005F18EFC439 corpus 2 (sigma 2)
  • IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E corpus 2 (sigma 2)
  • IMPHASH=3AD59991CCF1D67339B319B15A41B35D corpus 2 (sigma 2)
  • IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC corpus 3 (sigma 3)
  • IMPHASH=3DE09703C8E79ED2CA3F01074719906B corpus 3 (sigma 3)
  • IMPHASH=40445337761D80CF465136FAFB1F63E6 corpus 2 (sigma 2)
  • IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74 corpus 3 (sigma 3)
  • IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F corpus 2 (sigma 2)
  • IMPHASH=4DA924CF622D039D58BCE71CDF05D242 corpus 2 (sigma 2)
  • IMPHASH=51791678F351C03A0EB4E2A7B05C6E17 corpus 2 (sigma 2)
  • IMPHASH=563233BFA169ACC7892451F71AD5850A corpus 2 (sigma 2)
  • IMPHASH=5834ED4291BDEB928270428EBBAF7604 corpus 3 (sigma 3)
  • IMPHASH=59223B5F52D8799D38E0754855CBDF42 corpus 2 (sigma 2)
  • IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38 corpus 3 (sigma 3)
  • IMPHASH=5B76DA3ACDEDC8A5CDF23A798B5936B4 corpus 2 (sigma 2)
  • IMPHASH=6118619783FC175BC7EBECFF0769B46E corpus 2 (sigma 2)
  • IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2 corpus 2 (sigma 2)
  • IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F corpus 3 (sigma 3)
  • IMPHASH=713C29B396B907ED71A72482759ED757 corpus 2 (sigma 2)
  • IMPHASH=730073214094CD328547BF1F72289752 corpus 2 (sigma 2)
  • IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F corpus 2 (sigma 2)
  • IMPHASH=767637C23BB42CD5D7397CF58B0BE688 corpus 3 (sigma 3)
  • IMPHASH=7D010C6BB6A3726F327F7E239166D127 corpus 3 (sigma 3)
  • IMPHASH=7E6CF3FF4576581271AC8A313B2AAB46 corpus 2 (sigma 2)
  • IMPHASH=7FA30E6BB7E8E8A69155636E50BF1B28 corpus 2 (sigma 2)
  • IMPHASH=819B19D53CA6736448F9325A85736792 corpus 2 (sigma 2)
  • IMPHASH=81E75D8F1D276C156653D3D8813E4A43 corpus 2 (sigma 2)
  • IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E corpus 2 (sigma 2)
  • IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE corpus 2 (sigma 2)
  • IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E corpus 2 (sigma 2)
  • IMPHASH=87575CB7A0E0700EB37F2E3668671A08 corpus 2 (sigma 2)
  • IMPHASH=885C99CCFBE77D1CBFCB9C4E7C1A3313 corpus 2 (sigma 2)
  • IMPHASH=89159BA4DD04E4CE5559F132A9964EB3 corpus 3 (sigma 3)
  • IMPHASH=8A790F401B29FA87BC1E56F7272B3AA6 corpus 2 (sigma 2)
  • IMPHASH=8B114550386E31895DFAB371E741123D corpus 2 (sigma 2)
  • IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793 corpus 2 (sigma 2)
  • IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA corpus 2 (sigma 2)
  • IMPHASH=96DF3A3731912449521F6F8D183279B1 corpus 2 (sigma 2)
  • IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF corpus 2 (sigma 2)
  • IMPHASH=9D68781980370E00E0BD939EE5E6C141 corpus 2 (sigma 2)
  • IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80 corpus 2 (sigma 2)
  • IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC corpus 2 (sigma 2)
  • IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F corpus 3 (sigma 3)
  • IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB corpus 2 (sigma 2)
  • IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE corpus 2 (sigma 2)
  • IMPHASH=B18A1401FF8F444056D29450FBC0A6CE corpus 2 (sigma 2)
  • IMPHASH=B50199E952C875241B9CE06C971CE3C1
  • IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29 corpus 2 (sigma 2)
  • IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932 corpus 2 (sigma 2)
  • IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74 corpus 2 (sigma 2)
  • IMPHASH=CB2B65BB77D995CC1C0E5DF1C860133C corpus 2 (sigma 2)
  • IMPHASH=CB567F9498452721D77A451374955F5F corpus 2 (sigma 2)
  • IMPHASH=D6D0F80386E1380D05CB78E871BC72B1 corpus 2 (sigma 2)
  • IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9 corpus 2 (sigma 2)
  • IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894 corpus 3 (sigma 3)
  • IMPHASH=E6F9D5152DA699934B30DAAB206471F6 corpus 2 (sigma 2)
  • IMPHASH=E7A3A5C377E2D29324093377D7DB1C66 corpus 2 (sigma 2)
  • IMPHASH=E96A73C7BF33A464C510EDE582318BF2 corpus 3 (sigma 3)
  • IMPHASH=F9A28C458284584A93B14216308D31BD corpus 2 (sigma 2)
  • IMPHASH=FFDD59E0318B85A3E480874D9796D872 corpus 2 (sigma 2)
  • IMPHASH=bf6223a49e45d99094406777eb6004ba corpus 2 (sigma 2)
  • IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d corpus 2 (sigma 2)