Executables are generally not renamed, thus a given hash of an executable should only have ever one name. Identifying instances where multiple process names share the same hash may find cases where tools are copied by attackers to different folders or hosts to avoid detection.

Output Description

A list of hashes and the different executables associated with each one

ATT&CK Detection

Technique Tactic Level of Coverage
Masquerading Defense Evasion Moderate

Additional Notes:

Although this analytic was initially based on MD5 hashes, it is equally applicable to any hashing convention.

Data Model References

Object Action Field
process create exe
process create md5_hash