Sysmon events that capture cryptographic hashes

A standardized way to perform hashes lookups and detect attacks

By understanding the pyramid of pain philosophy we understand that cryptographic hashes such as MD5 and SHA256 are low-hanging fruit for threat detections but also that are relatively simple for a threat actor to change them and then generate new hashes.

We also acknowledge that Import Hashes (IMPHASH) can be considered as network artifacts that can be included in your threat detections and gain more visibility as its something that an attacker will need to put some efforts into it in order to change them.

Import Hashes discussion on Twitter https://twitter.com/DavidJBianco/status/1249907192016314369

If we are thinking of detecting threats in a big data scenario(processing billions of events per second), it is important to establish a standardized mechanism to perform hashes lookups, in such ay we can detect malicious hashes performing actions within the computing environment, across multiple actions or events.

A small issue with Sysmon schema…

As discussed earlier, Sysmon schema poses some challenges for automation and XSD transformations. But also, it seems like the field names on individual events it is not quite standard across the multiple Sysmon events.

When it comes to Hashes for instances, we also found some divergences:

Sysmon events that provide visibility in terms of hashes

As we can see below, in Sysmon Event 15, the name of the field is called Hash, whereas in the remaining 4 events (Process Create, Driver Load, Image Load, and File Deleted) the name of the field is Hashes.

Sysmon Event 15, the name of the field is Hash

Although the name of the field is Hash, it will store the Hash or Hashes established on the configuration file. Here is an example of a captured event:

Sysmon event

I believe that is important to know this small differences for parsing and doing transformations and lookups on those hashes and threat them equally by the threat intelligence put in place by your organization.

Conclusion

Field standardization does matter; It would be interesting to know why the divergence of the field names across multiple Sysmon events, it could just be a mistake as I’m pretty sure everybody appreciates the goodness of defined name convention for fields.

Whatever the reason is, it is good to know that and that fields need to be mapped differently if you are extracting such hashes.