HackTool Named File Stream Created
Detects the creation of a named file stream with the imphash of a well-known hack tool
Sigma rule (View on GitHub)
1title: HackTool Named File Stream Created
2id: 19b041f6-e583-40dc-b842-d6fa8011493f
3status: test
4description: Detects the creation of a named file stream with the imphash of a well-known hack tool
5references:
6 - https://github.com/gentilkiwi/mimikatz
7 - https://github.com/topotam/PetitPotam
8 - https://github.com/ohpe/juicy-potato
9 - https://github.com/antonioCoco/RoguePotato
10 - https://www.tarasco.org/security/pwdump_7/
11 - https://github.com/fortra/nanodump
12 - https://github.com/codewhitesec/HandleKatz
13 - https://github.com/xuanxuan0/DripLoader
14 - https://github.com/hfiref0x/UACME
15 - https://github.com/outflanknl/Dumpert
16 - https://github.com/wavestone-cdt/EDRSandblast
17author: Florian Roth (Nextron Systems)
18date: 2022-08-24
19modified: 2024-11-23
20tags:
21 - attack.defense-evasion
22 - attack.s0139
23 - attack.t1564.004
24logsource:
25 product: windows
26 category: create_stream_hash
27 definition: 'Requirements: Sysmon config with Imphash logging activated'
28detection:
29 selection:
30 Hash|contains: # Sysmon field hashes contains all types
31 - IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932 # PetitPotam
32 - IMPHASH=3A19059BD7688CB88E70005F18EFC439 # PetitPotam
33 - IMPHASH=bf6223a49e45d99094406777eb6004ba # PetitPotam
34 - IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6 # Mimikatz
35 - IMPHASH=0D1447D4B3259B3C2A1D4CFB7ECE13C3 # Mimikatz
36 - IMPHASH=1B0369A1E06271833F78FFA70FFB4EAF # Mimikatz
37 - IMPHASH=4C1B52A19748428E51B14C278D0F58E3 # Mimikatz
38 - IMPHASH=4D927A711F77D62CEBD4F322CB57EC6F # Mimikatz
39 - IMPHASH=66EE036DF5FC1004D9ED5E9A94A1086A # Mimikatz
40 - IMPHASH=672B13F4A0B6F27D29065123FE882DFC # Mimikatz
41 - IMPHASH=6BBD59CEA665C4AFCC2814C1327EC91F # Mimikatz
42 - IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D # Mimikatz
43 - IMPHASH=9528A0E91E28FBB88AD433FEABCA2456 # Mimikatz
44 - IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3 # Mimikatz
45 - IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88 # Mimikatz
46 - IMPHASH=B24C5EDDAEA4FE50C6A96A2A133521E4 # Mimikatz
47 - IMPHASH=D21BBC50DCC169D7B4D0F01962793154 # Mimikatz
48 - IMPHASH=FCC251CCEAE90D22C392215CC9A2D5D6 # Mimikatz
49 - IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1 # JuicyPotato
50 - IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC # JuicyPotato
51 - IMPHASH=F9A28C458284584A93B14216308D31BD # JuicyPotatoNG
52 - IMPHASH=6118619783FC175BC7EBECFF0769B46E # RoguePotato
53 - IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA # RoguePotato
54 - IMPHASH=563233BFA169ACC7892451F71AD5850A # RoguePotato
55 - IMPHASH=87575CB7A0E0700EB37F2E3668671A08 # RoguePotato
56 - IMPHASH=13F08707F759AF6003837A150A371BA1 # Pwdump
57 - IMPHASH=1781F06048A7E58B323F0B9259BE798B # Pwdump
58 - IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5 # Pwdump
59 - IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D # Pwdump
60 - IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2 # Pwdump
61 - IMPHASH=713C29B396B907ED71A72482759ED757 # Pwdump
62 - IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F # Pwdump
63 - IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E # Pwdump
64 - IMPHASH=8B114550386E31895DFAB371E741123D # Pwdump
65 - IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793 # PwDumpX
66 - IMPHASH=9D68781980370E00E0BD939EE5E6C141 # Pwdump
67 - IMPHASH=B18A1401FF8F444056D29450FBC0A6CE # Pwdump
68 - IMPHASH=CB567F9498452721D77A451374955F5F # Pwdump
69 - IMPHASH=730073214094CD328547BF1F72289752 # Htran
70 - IMPHASH=17B461A082950FC6332228572138B80C # Cobalt Strike beacons
71 - IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9 # Cobalt Strike beacons
72 - IMPHASH=819B19D53CA6736448F9325A85736792 # Cobalt Strike beacons
73 - IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E # Cobalt Strike beacons
74 - IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74 # PPLDump
75 - IMPHASH=0588081AB0E63BA785938467E1B10CCA # PPLDump
76 - IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C # NanoDump
77 - IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29 # NanoDump
78 - IMPHASH=4DA924CF622D039D58BCE71CDF05D242 # NanoDump
79 - IMPHASH=E7A3A5C377E2D29324093377D7DB1C66 # NanoDump
80 - IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF # NanoDump
81 - IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE # NanoDump
82 - IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4 # NanoDump
83 - IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338 # NanoDump
84 - IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E # NanoDump
85 - IMPHASH=E6F9D5152DA699934B30DAAB206471F6 # NanoDump
86 - IMPHASH=3AD59991CCF1D67339B319B15A41B35D # NanoDump
87 - IMPHASH=FFDD59E0318B85A3E480874D9796D872 # NanoDump
88 - IMPHASH=0CF479628D7CC1EA25EC7998A92F5051 # NanoDump
89 - IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51 # NanoDump
90 - IMPHASH=D6D0F80386E1380D05CB78E871BC72B1 # NanoDump
91 - IMPHASH=38D9E015591BBFD4929E0D0F47FA0055 # HandleKatz
92 - IMPHASH=0E2216679CA6E1094D63322E3412D650 # HandleKatz
93 - IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB # DripLoader
94 - IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798 # DripLoader
95 - IMPHASH=11083E75553BAAE21DC89CE8F9A195E4 # DripLoader
96 - IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80 # DripLoader
97 - IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F # CreateMiniDump
98 - IMPHASH=767637C23BB42CD5D7397CF58B0BE688 # UACMe Akagi
99 - IMPHASH=14C4E4C72BA075E9069EE67F39188AD8 # UACMe Akagi
100 - IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC # UACMe Akagi
101 - IMPHASH=7D010C6BB6A3726F327F7E239166D127 # UACMe Akagi
102 - IMPHASH=89159BA4DD04E4CE5559F132A9964EB3 # UACMe Akagi
103 - IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F # UACMe Akagi
104 - IMPHASH=5834ED4291BDEB928270428EBBAF7604 # UACMe Akagi
105 - IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38 # UACMe Akagi
106 - IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894 # UACMe Akagi
107 - IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74 # UACMe Akagi
108 - IMPHASH=3DE09703C8E79ED2CA3F01074719906B # UACMe Akagi
109 - IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F # WCE
110 - IMPHASH=E96A73C7BF33A464C510EDE582318BF2 # WCE
111 - IMPHASH=32089B8851BBF8BC2D014E9F37288C83 # Sliver Stagers
112 - IMPHASH=09D278F9DE118EF09163C6140255C690 # Dumpert
113 - IMPHASH=03866661686829d806989e2fc5a72606 # Dumpert
114 - IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d # Dumpert
115 - IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte
116 - IMPHASH=19584675D94829987952432E018D5056 # SysmonQuiet
117 - IMPHASH=330768A4F172E10ACB6287B87289D83B # ShaprEvtMute Hook
118 - IMPHASH=885C99CCFBE77D1CBFCB9C4E7C1A3313 # Forkatz
119 - IMPHASH=22A22BC9E4E0D2F189F1EA01748816AC # PPLKiller
120 - IMPHASH=7FA30E6BB7E8E8A69155636E50BF1B28 # PPLKiller
121 - IMPHASH=96DF3A3731912449521F6F8D183279B1 # Backstab
122 - IMPHASH=7E6CF3FF4576581271AC8A313B2AAB46 # Backstab
123 - IMPHASH=51791678F351C03A0EB4E2A7B05C6E17 # Backstab
124 - IMPHASH=25CE42B079282632708FC846129E98A5 # Forensia
125 - IMPHASH=021BCCA20BA3381B11BDDE26B4E62F20 # EDRSandBlast
126 - IMPHASH=59223B5F52D8799D38E0754855CBDF42 # EDRSandBlast
127 - IMPHASH=81E75D8F1D276C156653D3D8813E4A43 # EDRSandBlast
128 - IMPHASH=17244E8B6B8227E57FE709CCAD421420 # EDRSandBlast
129 - IMPHASH=5B76DA3ACDEDC8A5CDF23A798B5936B4 # EDRSandBlast
130 - IMPHASH=CB2B65BB77D995CC1C0E5DF1C860133C # EDRSandBlast
131 - IMPHASH=40445337761D80CF465136FAFB1F63E6 # EDRSandBlast
132 - IMPHASH=8A790F401B29FA87BC1E56F7272B3AA6 # EDRSilencer
133 condition: selection
134falsepositives:
135 - Unknown
136level: high
References
-
A little tool to play with Windows security. Contribute to gentilkiwi/mimikatz development by creating an account on GitHub.
Read More -
PoC tool to coerce Windows hosts to authenticate to other machines via MS-EFSRPC EfsRpcOpenFileRaw or other functions. - topotam/PetitPotam
Read More -
A sugared version of RottenPotatoNG, with a bit of juice, i.e. another Local Privilege Escalation tool, from a Windows Service Accounts to NT AUTHORITY\SYSTEM. - GitHub - ohpe/juicy-potato: A suga...
Read More -
Another Windows Local Privilege Escalation from Service Account to System - antonioCoco/RoguePotato
Read More -
Tarlogic has a team of high-level cybersecurity experts. We raise defenses against any present or future threat
Read More -
The swiss army knife of LSASS dumping. Contribute to fortra/nanodump development by creating an account on GitHub.
Read More -
PIC lsass dumper using cloned handles. Contribute to codewhitesec/HandleKatz development by creating an account on GitHub.
Read More -
Evasive shellcode loader for bypassing event-based injection detection (PoC) - xuanxuan0/DripLoader
Read More -
Defeating Windows User Account Control. Contribute to hfiref0x/UACME development by creating an account on GitHub.
Read More -
-
Related rules
- Suspicious File Download From File Sharing Websites - File Stream
- Unusual File Download From File Sharing Websites - File Stream
- Hidden Executable In NTFS Alternate Data Stream
- Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream
- Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI