legitimate use of one of these tools

Techniques

Sample rules

Hacktool Execution - Imphash

source: sigma
technicques:
- t1003
- t1588
- t1588.002
Description

Detects the execution of different Windows based hacktools via their import hash (imphash) even if the files have been renamed
Detection logic

condition: selection
selection:
- Imphash:
  - bcca3c247b619dcd13c8cdff5f123932
  - 3a19059bd7688cb88e70005f18efc439
  - bf6223a49e45d99094406777eb6004ba
  - 23867a89c2b8fc733be6cf5ef902f2d1
  - a37ff327f8d48e8a4d2f757e1b6e70bc
  - f9a28c458284584a93b14216308d31bd
  - 6118619783fc175bc7ebecff0769b46e
  - 959a83047e80ab68b368fdb3f4c6e4ea
  - 563233bfa169acc7892451f71ad5850a
  - 87575cb7a0e0700eb37f2e3668671a08
  - 13f08707f759af6003837a150a371ba1
  - 1781f06048a7e58b323f0b9259be798b
  - 233f85f2d4bc9d6521a6caae11a1e7f5
  - 24af2584cbf4d60bbe5c6d1b31b3be6d
  - 632969ddf6dbf4e0f53424b75e4b91f2
  - 713c29b396b907ed71a72482759ed757
  - 749a7bb1f0b4c4455949c0b2bf7f9e9f
  - 8628b2608957a6b0c6330ac3de28ce2e
  - 8b114550386e31895dfab371e741123d
  - 94cb940a1a6b65bed4d5a8f849ce9793
  - 9d68781980370e00e0bd939ee5e6c141
  - b18a1401ff8f444056d29450fbc0a6ce
  - cb567f9498452721d77a451374955f5f
  - 730073214094cd328547bf1f72289752
  - 17b461a082950fc6332228572138b80c
  - dc25ee78e2ef4d36faa0badf1e7461c9
  - 819b19d53ca6736448f9325a85736792
  - 829da329ce140d873b4a8bde2cbfaa7e
  - c547f2e66061a8dffb6f5a3ff63c0a74
  - 0588081ab0e63ba785938467e1b10cca
  - 0d9ec08bac6c07d9987dfd0f1506587c
  - bc129092b71c89b4d4c8cdf8ea590b29
  - 4da924cf622d039d58bce71cdf05d242
  - e7a3a5c377e2d29324093377d7db1c66
  - 9a9dbec5c62f0380b4fa5fd31deffedf
  - af8a3976ad71e5d5fdfb67ddb8dadfce
  - 0c477898bbf137bbd6f2a54e3b805ff4
  - 0ca9f02b537bcea20d4ea5eb1a9fe338
  - 3ab3655e5a14d4eefc547f4781bf7f9e
  - e6f9d5152da699934b30daab206471f6
  - 3ad59991ccf1d67339b319b15a41b35d
  - ffdd59e0318b85a3e480874d9796d872
  - 0cf479628d7cc1ea25ec7998a92f5051
  - 07a2d4dcbd6cb2c6a45e6b101f0b6d51
  - d6d0f80386e1380d05cb78e871bc72b1
  - 38d9e015591bbfd4929e0d0f47fa0055
  - 0e2216679ca6e1094d63322e3412d650
  - ada161bf41b8e5e9132858cb54cab5fb
  - 2a1bc4913cd5ecb0434df07cb675b798
  - 11083e75553baae21dc89ce8f9a195e4
  - a23d29c9e566f2fa8ffbb79267f5df80
  - 4a07f944a83e8a7c2525efa35dd30e2f
  - 767637c23bb42cd5d7397cf58b0be688
  - 14c4e4c72ba075e9069ee67f39188ad8
  - 3c782813d4afce07bbfc5a9772acdbdc
  - 7d010c6bb6a3726f327f7e239166d127
  - 89159ba4dd04e4ce5559f132a9964eb3
  - 6f33f4a5fc42b8cec7314947bd13f30f
  - 5834ed4291bdeb928270428ebbaf7604
  - 5a8a8a43f25485e7ee1b201edcbc7a38
  - dc7d30b90b2d8abf664fbed2b1b59894
  - 41923ea1f824fe63ea5beb84db7a3e74
  - 3de09703c8e79ed2ca3f01074719906b
  - a53a02b997935fd8eedcb5f7abab9b9f
  - e96a73c7bf33a464c510ede582318bf2
  - 32089b8851bbf8bc2d014e9f37288c83
  - 09D278F9DE118EF09163C6140255C690
  - 03866661686829d806989e2fc5a72606
  - e57401fbdadcd4571ff385ab82bd5d6d
  - 84B763C45C0E4A3E7CA5548C710DB4EE
  - 19584675d94829987952432e018d5056
  - 330768a4f172e10acb6287b87289d83b
  - 885c99ccfbe77d1cbfcb9c4e7c1a3313
  - 22a22bc9e4e0d2f189f1ea01748816ac
  - 7fa30e6bb7e8e8a69155636e50bf1b28
  - 96df3a3731912449521f6f8d183279b1
  - 7e6cf3ff4576581271ac8a313b2aab46
  - 51791678f351c03a0eb4e2a7b05c6e17
  - 25ce42b079282632708fc846129e98a5
  - 021bcca20ba3381b11bdde26b4e62f20
  - 59223b5f52d8799d38e0754855cbdf42
  - 81e75d8f1d276c156653d3d8813e4a43
  - 17244e8b6b8227e57fe709ccad421420
  - 5b76da3acdedc8a5cdf23a798b5936b4
  - cb2b65bb77d995cc1c0e5df1c860133c
  - 40445337761d80cf465136fafb1f63e6
  - 8a790f401b29fa87bc1e56f7272b3aa6
  - b50199e952c875241b9ce06c971ce3c1
- Hashes|contains:
  - IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932
  - IMPHASH=3A19059BD7688CB88E70005F18EFC439
  - IMPHASH=bf6223a49e45d99094406777eb6004ba
  - IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1
  - IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC
  - IMPHASH=F9A28C458284584A93B14216308D31BD
  - IMPHASH=6118619783FC175BC7EBECFF0769B46E
  - IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA
  - IMPHASH=563233BFA169ACC7892451F71AD5850A
  - IMPHASH=87575CB7A0E0700EB37F2E3668671A08
  - IMPHASH=13F08707F759AF6003837A150A371BA1
  - IMPHASH=1781F06048A7E58B323F0B9259BE798B
  - IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5
  - IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D
  - IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2
  - IMPHASH=713C29B396B907ED71A72482759ED757
  - IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F
  - IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E
  - IMPHASH=8B114550386E31895DFAB371E741123D
  - IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793
  - IMPHASH=9D68781980370E00E0BD939EE5E6C141
  - IMPHASH=B18A1401FF8F444056D29450FBC0A6CE
  - IMPHASH=CB567F9498452721D77A451374955F5F
  - IMPHASH=730073214094CD328547BF1F72289752
  - IMPHASH=17B461A082950FC6332228572138B80C
  - IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9
  - IMPHASH=819B19D53CA6736448F9325A85736792
  - IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E
  - IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74
  - IMPHASH=0588081AB0E63BA785938467E1B10CCA
  - IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C
  - IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29
  - IMPHASH=4DA924CF622D039D58BCE71CDF05D242
  - IMPHASH=E7A3A5C377E2D29324093377D7DB1C66
  - IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF
  - IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE
  - IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4
  - IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338
  - IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E
  - IMPHASH=E6F9D5152DA699934B30DAAB206471F6
  - IMPHASH=3AD59991CCF1D67339B319B15A41B35D
  - IMPHASH=FFDD59E0318B85A3E480874D9796D872
  - IMPHASH=0CF479628D7CC1EA25EC7998A92F5051
  - IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51
  - IMPHASH=D6D0F80386E1380D05CB78E871BC72B1
  - IMPHASH=38D9E015591BBFD4929E0D0F47FA0055
  - IMPHASH=0E2216679CA6E1094D63322E3412D650
  - IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB
  - IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798
  - IMPHASH=11083E75553BAAE21DC89CE8F9A195E4
  - IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80
  - IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F
  - IMPHASH=767637C23BB42CD5D7397CF58B0BE688
  - IMPHASH=14C4E4C72BA075E9069EE67F39188AD8
  - IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC
  - IMPHASH=7D010C6BB6A3726F327F7E239166D127
  - IMPHASH=89159BA4DD04E4CE5559F132A9964EB3
  - IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F
  - IMPHASH=5834ED4291BDEB928270428EBBAF7604
  - IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38
  - IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894
  - IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74
  - IMPHASH=3DE09703C8E79ED2CA3F01074719906B
  - IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F
  - IMPHASH=E96A73C7BF33A464C510EDE582318BF2
  - IMPHASH=32089B8851BBF8BC2D014E9F37288C83
  - IMPHASH=09D278F9DE118EF09163C6140255C690
  - IMPHASH=03866661686829d806989e2fc5a72606
  - IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d
  - IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE
  - IMPHASH=19584675D94829987952432E018D5056
  - IMPHASH=330768A4F172E10ACB6287B87289D83B
  - IMPHASH=885C99CCFBE77D1CBFCB9C4E7C1A3313
  - IMPHASH=22A22BC9E4E0D2F189F1EA01748816AC
  - IMPHASH=7FA30E6BB7E8E8A69155636E50BF1B28
  - IMPHASH=96DF3A3731912449521F6F8D183279B1
  - IMPHASH=7E6CF3FF4576581271AC8A313B2AAB46
  - IMPHASH=51791678F351C03A0EB4E2A7B05C6E17
  - IMPHASH=25CE42B079282632708FC846129E98A5
  - IMPHASH=021BCCA20BA3381B11BDDE26B4E62F20
  - IMPHASH=59223B5F52D8799D38E0754855CBDF42
  - IMPHASH=81E75D8F1D276C156653D3D8813E4A43
  - IMPHASH=17244E8B6B8227E57FE709CCAD421420
  - IMPHASH=5B76DA3ACDEDC8A5CDF23A798B5936B4
  - IMPHASH=CB2B65BB77D995CC1C0E5DF1C860133C
  - IMPHASH=40445337761D80CF465136FAFB1F63E6
  - IMPHASH=8A790F401B29FA87BC1E56F7272B3AA6
  - IMPHASH=B50199E952C875241B9CE06C971CE3C1