For instance if one is monitoring for the use of rar.exe (compression utility) with "-a and -p" options to archive and password protect data as a preparation for data exfiltration, the attacker can simply rename rar.exe to something else and boom!
For Sysmon users enable IMPHASH in your config:
- <HashAlgorithms>md5,IMPHASH</HashAlgorithms>
Furthermore, imphash is also useful to detect similar implants (custom compiler or alike) within your network even if they have different C2 & md5/sha256 hashes
References:
https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html
https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
No comments:
Post a Comment