Executables are generally not renamed, thus a given hash of an executable should only have ever one name. Identifying instances where multiple process names share the same hash may find cases where tools are copied by attackers to different folders or hosts to avoid detection.

Although this analytic was initially based on MD5 hashes, it is equally applicable to any hashing convention.

Output Description

A list of hashes and the different executables associated with each one

ATT&CK Detection

Technique Subtechnique(s) Tactic(s) Level of Coverage
Masquerading Rename System Utilities Defense Evasion Moderate

Data Model References

Object Action Field
process create exe
process create md5_hash

Implementations

Basic Query (Splunk, Sysmon native)

This is a basic Splunk search that will output all of the sysmon-reported process images and their respective hashes, for cases where an image has more than one set of hashes. Thus, this will output a large amount of data and should be filtered by the analyst in order to make the results more useful.

index=__your_sysmon_index__ EventCode=1|stats dc(Hashes) as Num_Hashes values(Hashes) as "Hashes" by Image|where Num_Hashes > 1

Sigma/Sysmon (Sigma)

Sigma includes a Sysmon-specific rule for detecting this, using the OriginalFilename field.

Sigma (renamed powershell) (Sigma)

Sigma includes a rule specifically for detecting instances of Powershell being renamed.

Sigma (renamed paexec) (Sigma)

Sigma includes a rule specifically for detecting instances of paexec being renamed.

Dnif, Sysmon native

DNIF version of the above pseudocode.

_fetch * from event where $LogName=WINDOWS-SYSMON AND $EventID=1 group count_unique $App, $HashMD5 limit 100
>>_agg count_unique $HashMD5
>>_checkif int_compare count_unique > 1 include