Executables are generally not renamed, thus a given hash of an executable should only have ever one name. Identifying instances where multiple process names share the same hash may find cases where tools are copied by attackers to different folders or hosts to avoid detection.
Although this analytic was initially based on MD5 hashes, it is equally applicable to any hashing convention.
A list of hashes and the different executables associated with each one
|Technique||Subtechnique(s)||Tactic(s)||Level of Coverage|
|Masquerading||Rename System Utilities||Defense Evasion||Moderate|
|D3-SBV||Service Binary Verification|
|D3-SFA||System File Analysis|
Data Model References
Basic Query (Splunk, Sysmon native)
This is a basic Splunk search that will output all of the sysmon-reported process images and their respective hashes, for cases where an image has more than one set of hashes. Thus, this will output a large amount of data and should be filtered by the analyst in order to make the results more useful.
index=__your_sysmon_index__ EventCode=1|stats dc(Hashes) as Num_Hashes values(Hashes) as "Hashes" by Image|where Num_Hashes > 1
Sigma includes a Sysmon-specific rule for detecting this, using the OriginalFilename field.
Sigma (renamed powershell) (Sigma)
Sigma includes a rule specifically for detecting instances of Powershell being renamed.
Sigma (renamed paexec) (Sigma)
Sigma includes a rule specifically for detecting instances of paexec being renamed.
Dnif, Sysmon native
DNIF version of the above pseudocode.
_fetch * from event where $LogName=WINDOWS-SYSMON AND $EventID=1 group count_unique $App, $HashMD5 limit 100 >>_agg count_unique $HashMD5 >>_checkif int_compare count_unique > 1 include
Logpoint, LogPoint native
LogPoint version of the above pseudocode.
norm_id=WindowsSysmon event_id=1 | chart distinct_count(hash) as cnt by image | search cnt > 1