HackTool Named File Stream Created
Detects the creation of a named file stream with the imphash of a well-known hack tool
Sigma rule (View on GitHub)
1title: HackTool Named File Stream Created
2id: 19b041f6-e583-40dc-b842-d6fa8011493f
3status: test
4description: Detects the creation of a named file stream with the imphash of a well-known hack tool
5references:
6 - https://github.com/gentilkiwi/mimikatz
7 - https://github.com/topotam/PetitPotam
8 - https://github.com/ohpe/juicy-potato
9 - https://github.com/antonioCoco/RoguePotato
10 - https://www.tarasco.org/security/pwdump_7/
11 - https://github.com/fortra/nanodump
12 - https://github.com/codewhitesec/HandleKatz
13 - https://github.com/xuanxuan0/DripLoader
14 - https://github.com/hfiref0x/UACME
15 - https://github.com/outflanknl/Dumpert
16 - https://github.com/wavestone-cdt/EDRSandblast
17author: Florian Roth (Nextron Systems)
18date: 2022-08-24
19modified: 2024-01-02
20tags:
21 - attack.defense-evasion
22 - attack.s0139
23 - attack.t1564.004
24logsource:
25 product: windows
26 category: create_stream_hash
27 definition: 'Requirements: Sysmon config with Imphash logging activated'
28detection:
29 selection:
30 - Imphash:
31 - bcca3c247b619dcd13c8cdff5f123932 # PetitPotam
32 - 3a19059bd7688cb88e70005f18efc439 # PetitPotam
33 - bf6223a49e45d99094406777eb6004ba # PetitPotam
34 - 0c106686a31bfe2ba931ae1cf6e9dbc6 # Mimikatz
35 - 0d1447d4b3259b3c2a1d4cfb7ece13c3 # Mimikatz
36 - 1b0369a1e06271833f78ffa70ffb4eaf # Mimikatz
37 - 4c1b52a19748428e51b14c278d0f58e3 # Mimikatz
38 - 4d927a711f77d62cebd4f322cb57ec6f # Mimikatz
39 - 66ee036df5fc1004d9ed5e9a94a1086a # Mimikatz
40 - 672b13f4a0b6f27d29065123fe882dfc # Mimikatz
41 - 6bbd59cea665c4afcc2814c1327ec91f # Mimikatz
42 - 725bb81dc24214f6ecacc0cfb36ad30d # Mimikatz
43 - 9528a0e91e28fbb88ad433feabca2456 # Mimikatz
44 - 9da6d5d77be11712527dcab86df449a3 # Mimikatz
45 - a6e01bc1ab89f8d91d9eab72032aae88 # Mimikatz
46 - b24c5eddaea4fe50c6a96a2a133521e4 # Mimikatz
47 - d21bbc50dcc169d7b4d0f01962793154 # Mimikatz
48 - fcc251cceae90d22c392215cc9a2d5d6 # Mimikatz
49 - 23867a89c2b8fc733be6cf5ef902f2d1 # JuicyPotato
50 - a37ff327f8d48e8a4d2f757e1b6e70bc # JuicyPotato
51 - f9a28c458284584a93b14216308d31bd # JuicyPotatoNG
52 - 6118619783fc175bc7ebecff0769b46e # RoguePotato
53 - 959a83047e80ab68b368fdb3f4c6e4ea # RoguePotato
54 - 563233bfa169acc7892451f71ad5850a # RoguePotato
55 - 87575cb7a0e0700eb37f2e3668671a08 # RoguePotato
56 - 13f08707f759af6003837a150a371ba1 # Pwdump
57 - 1781f06048a7e58b323f0b9259be798b # Pwdump
58 - 233f85f2d4bc9d6521a6caae11a1e7f5 # Pwdump
59 - 24af2584cbf4d60bbe5c6d1b31b3be6d # Pwdump
60 - 632969ddf6dbf4e0f53424b75e4b91f2 # Pwdump
61 - 713c29b396b907ed71a72482759ed757 # Pwdump
62 - 749a7bb1f0b4c4455949c0b2bf7f9e9f # Pwdump
63 - 8628b2608957a6b0c6330ac3de28ce2e # Pwdump
64 - 8b114550386e31895dfab371e741123d # Pwdump
65 - 94cb940a1a6b65bed4d5a8f849ce9793 # PwDumpX
66 - 9d68781980370e00e0bd939ee5e6c141 # Pwdump
67 - b18a1401ff8f444056d29450fbc0a6ce # Pwdump
68 - cb567f9498452721d77a451374955f5f # Pwdump
69 - 730073214094cd328547bf1f72289752 # Htran
70 - 17b461a082950fc6332228572138b80c # Cobalt Strike beacons
71 - dc25ee78e2ef4d36faa0badf1e7461c9 # Cobalt Strike beacons
72 - 819b19d53ca6736448f9325a85736792 # Cobalt Strike beacons
73 - 829da329ce140d873b4a8bde2cbfaa7e # Cobalt Strike beacons
74 - c547f2e66061a8dffb6f5a3ff63c0a74 # PPLDump
75 - 0588081ab0e63ba785938467e1b10cca # PPLDump
76 - 0d9ec08bac6c07d9987dfd0f1506587c # NanoDump
77 - bc129092b71c89b4d4c8cdf8ea590b29 # NanoDump
78 - 4da924cf622d039d58bce71cdf05d242 # NanoDump
79 - e7a3a5c377e2d29324093377d7db1c66 # NanoDump
80 - 9a9dbec5c62f0380b4fa5fd31deffedf # NanoDump
81 - af8a3976ad71e5d5fdfb67ddb8dadfce # NanoDump
82 - 0c477898bbf137bbd6f2a54e3b805ff4 # NanoDump
83 - 0ca9f02b537bcea20d4ea5eb1a9fe338 # NanoDump
84 - 3ab3655e5a14d4eefc547f4781bf7f9e # NanoDump
85 - e6f9d5152da699934b30daab206471f6 # NanoDump
86 - 3ad59991ccf1d67339b319b15a41b35d # NanoDump
87 - ffdd59e0318b85a3e480874d9796d872 # NanoDump
88 - 0cf479628d7cc1ea25ec7998a92f5051 # NanoDump
89 - 07a2d4dcbd6cb2c6a45e6b101f0b6d51 # NanoDump
90 - d6d0f80386e1380d05cb78e871bc72b1 # NanoDump
91 - 38d9e015591bbfd4929e0d0f47fa0055 # HandleKatz
92 - 0e2216679ca6e1094d63322e3412d650 # HandleKatz
93 - ada161bf41b8e5e9132858cb54cab5fb # DripLoader
94 - 2a1bc4913cd5ecb0434df07cb675b798 # DripLoader
95 - 11083e75553baae21dc89ce8f9a195e4 # DripLoader
96 - a23d29c9e566f2fa8ffbb79267f5df80 # DripLoader
97 - 4a07f944a83e8a7c2525efa35dd30e2f # CreateMiniDump
98 - 767637c23bb42cd5d7397cf58b0be688 # UACMe Akagi
99 - 14c4e4c72ba075e9069ee67f39188ad8 # UACMe Akagi
100 - 3c782813d4afce07bbfc5a9772acdbdc # UACMe Akagi
101 - 7d010c6bb6a3726f327f7e239166d127 # UACMe Akagi
102 - 89159ba4dd04e4ce5559f132a9964eb3 # UACMe Akagi
103 - 6f33f4a5fc42b8cec7314947bd13f30f # UACMe Akagi
104 - 5834ed4291bdeb928270428ebbaf7604 # UACMe Akagi
105 - 5a8a8a43f25485e7ee1b201edcbc7a38 # UACMe Akagi
106 - dc7d30b90b2d8abf664fbed2b1b59894 # UACMe Akagi
107 - 41923ea1f824fe63ea5beb84db7a3e74 # UACMe Akagi
108 - 3de09703c8e79ed2ca3f01074719906b # UACMe Akagi
109 - a53a02b997935fd8eedcb5f7abab9b9f # WCE
110 - e96a73c7bf33a464c510ede582318bf2 # WCE
111 - 32089b8851bbf8bc2d014e9f37288c83 # Sliver Stagers
112 - 09D278F9DE118EF09163C6140255C690 # Dumpert
113 - 03866661686829d806989e2fc5a72606 # Dumpert
114 - e57401fbdadcd4571ff385ab82bd5d6d # Dumpert
115 - 84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte
116 - 19584675d94829987952432e018d5056 # SysmonQuiet
117 - 330768a4f172e10acb6287b87289d83b # ShaprEvtMute Hook
118 - 885c99ccfbe77d1cbfcb9c4e7c1a3313 # Forkatz
119 - 22a22bc9e4e0d2f189f1ea01748816ac # PPLKiller
120 - 7fa30e6bb7e8e8a69155636e50bf1b28 # PPLKiller
121 - 96df3a3731912449521f6f8d183279b1 # Backstab
122 - 7e6cf3ff4576581271ac8a313b2aab46 # Backstab
123 - 51791678f351c03a0eb4e2a7b05c6e17 # Backstab
124 - 25ce42b079282632708fc846129e98a5 # Forensia
125 - 021bcca20ba3381b11bdde26b4e62f20 # EDRSandBlast
126 - 59223b5f52d8799d38e0754855cbdf42 # EDRSandBlast
127 - 81e75d8f1d276c156653d3d8813e4a43 # EDRSandBlast
128 - 17244e8b6b8227e57fe709ccad421420 # EDRSandBlast
129 - 5b76da3acdedc8a5cdf23a798b5936b4 # EDRSandBlast
130 - cb2b65bb77d995cc1c0e5df1c860133c # EDRSandBlast
131 - 40445337761d80cf465136fafb1f63e6 # EDRSandBlast
132 - 8a790f401b29fa87bc1e56f7272b3aa6 # EDRSilencer
133 - Hash|contains: # Sysmon field hashes contains all types
134 - IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932 # PetitPotam
135 - IMPHASH=3A19059BD7688CB88E70005F18EFC439 # PetitPotam
136 - IMPHASH=bf6223a49e45d99094406777eb6004ba # PetitPotam
137 - IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6 # Mimikatz
138 - IMPHASH=0D1447D4B3259B3C2A1D4CFB7ECE13C3 # Mimikatz
139 - IMPHASH=1B0369A1E06271833F78FFA70FFB4EAF # Mimikatz
140 - IMPHASH=4C1B52A19748428E51B14C278D0F58E3 # Mimikatz
141 - IMPHASH=4D927A711F77D62CEBD4F322CB57EC6F # Mimikatz
142 - IMPHASH=66EE036DF5FC1004D9ED5E9A94A1086A # Mimikatz
143 - IMPHASH=672B13F4A0B6F27D29065123FE882DFC # Mimikatz
144 - IMPHASH=6BBD59CEA665C4AFCC2814C1327EC91F # Mimikatz
145 - IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D # Mimikatz
146 - IMPHASH=9528A0E91E28FBB88AD433FEABCA2456 # Mimikatz
147 - IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3 # Mimikatz
148 - IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88 # Mimikatz
149 - IMPHASH=B24C5EDDAEA4FE50C6A96A2A133521E4 # Mimikatz
150 - IMPHASH=D21BBC50DCC169D7B4D0F01962793154 # Mimikatz
151 - IMPHASH=FCC251CCEAE90D22C392215CC9A2D5D6 # Mimikatz
152 - IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1 # JuicyPotato
153 - IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC # JuicyPotato
154 - IMPHASH=F9A28C458284584A93B14216308D31BD # JuicyPotatoNG
155 - IMPHASH=6118619783FC175BC7EBECFF0769B46E # RoguePotato
156 - IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA # RoguePotato
157 - IMPHASH=563233BFA169ACC7892451F71AD5850A # RoguePotato
158 - IMPHASH=87575CB7A0E0700EB37F2E3668671A08 # RoguePotato
159 - IMPHASH=13F08707F759AF6003837A150A371BA1 # Pwdump
160 - IMPHASH=1781F06048A7E58B323F0B9259BE798B # Pwdump
161 - IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5 # Pwdump
162 - IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D # Pwdump
163 - IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2 # Pwdump
164 - IMPHASH=713C29B396B907ED71A72482759ED757 # Pwdump
165 - IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F # Pwdump
166 - IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E # Pwdump
167 - IMPHASH=8B114550386E31895DFAB371E741123D # Pwdump
168 - IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793 # PwDumpX
169 - IMPHASH=9D68781980370E00E0BD939EE5E6C141 # Pwdump
170 - IMPHASH=B18A1401FF8F444056D29450FBC0A6CE # Pwdump
171 - IMPHASH=CB567F9498452721D77A451374955F5F # Pwdump
172 - IMPHASH=730073214094CD328547BF1F72289752 # Htran
173 - IMPHASH=17B461A082950FC6332228572138B80C # Cobalt Strike beacons
174 - IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9 # Cobalt Strike beacons
175 - IMPHASH=819B19D53CA6736448F9325A85736792 # Cobalt Strike beacons
176 - IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E # Cobalt Strike beacons
177 - IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74 # PPLDump
178 - IMPHASH=0588081AB0E63BA785938467E1B10CCA # PPLDump
179 - IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C # NanoDump
180 - IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29 # NanoDump
181 - IMPHASH=4DA924CF622D039D58BCE71CDF05D242 # NanoDump
182 - IMPHASH=E7A3A5C377E2D29324093377D7DB1C66 # NanoDump
183 - IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF # NanoDump
184 - IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE # NanoDump
185 - IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4 # NanoDump
186 - IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338 # NanoDump
187 - IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E # NanoDump
188 - IMPHASH=E6F9D5152DA699934B30DAAB206471F6 # NanoDump
189 - IMPHASH=3AD59991CCF1D67339B319B15A41B35D # NanoDump
190 - IMPHASH=FFDD59E0318B85A3E480874D9796D872 # NanoDump
191 - IMPHASH=0CF479628D7CC1EA25EC7998A92F5051 # NanoDump
192 - IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51 # NanoDump
193 - IMPHASH=D6D0F80386E1380D05CB78E871BC72B1 # NanoDump
194 - IMPHASH=38D9E015591BBFD4929E0D0F47FA0055 # HandleKatz
195 - IMPHASH=0E2216679CA6E1094D63322E3412D650 # HandleKatz
196 - IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB # DripLoader
197 - IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798 # DripLoader
198 - IMPHASH=11083E75553BAAE21DC89CE8F9A195E4 # DripLoader
199 - IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80 # DripLoader
200 - IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F # CreateMiniDump
201 - IMPHASH=767637C23BB42CD5D7397CF58B0BE688 # UACMe Akagi
202 - IMPHASH=14C4E4C72BA075E9069EE67F39188AD8 # UACMe Akagi
203 - IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC # UACMe Akagi
204 - IMPHASH=7D010C6BB6A3726F327F7E239166D127 # UACMe Akagi
205 - IMPHASH=89159BA4DD04E4CE5559F132A9964EB3 # UACMe Akagi
206 - IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F # UACMe Akagi
207 - IMPHASH=5834ED4291BDEB928270428EBBAF7604 # UACMe Akagi
208 - IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38 # UACMe Akagi
209 - IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894 # UACMe Akagi
210 - IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74 # UACMe Akagi
211 - IMPHASH=3DE09703C8E79ED2CA3F01074719906B # UACMe Akagi
212 - IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F # WCE
213 - IMPHASH=E96A73C7BF33A464C510EDE582318BF2 # WCE
214 - IMPHASH=32089B8851BBF8BC2D014E9F37288C83 # Sliver Stagers
215 - IMPHASH=09D278F9DE118EF09163C6140255C690 # Dumpert
216 - IMPHASH=03866661686829d806989e2fc5a72606 # Dumpert
217 - IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d # Dumpert
218 - IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte
219 - IMPHASH=19584675D94829987952432E018D5056 # SysmonQuiet
220 - IMPHASH=330768A4F172E10ACB6287B87289D83B # ShaprEvtMute Hook
221 - IMPHASH=885C99CCFBE77D1CBFCB9C4E7C1A3313 # Forkatz
222 - IMPHASH=22A22BC9E4E0D2F189F1EA01748816AC # PPLKiller
223 - IMPHASH=7FA30E6BB7E8E8A69155636E50BF1B28 # PPLKiller
224 - IMPHASH=96DF3A3731912449521F6F8D183279B1 # Backstab
225 - IMPHASH=7E6CF3FF4576581271AC8A313B2AAB46 # Backstab
226 - IMPHASH=51791678F351C03A0EB4E2A7B05C6E17 # Backstab
227 - IMPHASH=25CE42B079282632708FC846129E98A5 # Forensia
228 - IMPHASH=021BCCA20BA3381B11BDDE26B4E62F20 # EDRSandBlast
229 - IMPHASH=59223B5F52D8799D38E0754855CBDF42 # EDRSandBlast
230 - IMPHASH=81E75D8F1D276C156653D3D8813E4A43 # EDRSandBlast
231 - IMPHASH=17244E8B6B8227E57FE709CCAD421420 # EDRSandBlast
232 - IMPHASH=5B76DA3ACDEDC8A5CDF23A798B5936B4 # EDRSandBlast
233 - IMPHASH=CB2B65BB77D995CC1C0E5DF1C860133C # EDRSandBlast
234 - IMPHASH=40445337761D80CF465136FAFB1F63E6 # EDRSandBlast
235 - IMPHASH=8A790F401B29FA87BC1E56F7272B3AA6 # EDRSilencer
236 condition: selection
237falsepositives:
238 - Unknown
239level: high
References
Related rules
- Suspicious File Download From File Sharing Websites - File Stream
- Unusual File Download From File Sharing Websites - File Stream
- Hidden Executable In NTFS Alternate Data Stream
- Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream
- Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI