Remote CHM File Download/Execution Via HH.EXE
Detects the usage of "hh.exe" to execute/download remotely hosted ".chm" files.
Sigma rule (View on GitHub)
1title: Remote CHM File Download/Execution Via HH.EXE
2id: f57c58b3-ee69-4ef5-9041-455bf39aaa89
3status: experimental
4description: Detects the usage of "hh.exe" to execute/download remotely hosted ".chm" files.
5references:
6 - https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html
7 - https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md
8 - https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37
9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2022/09/29
11modified: 2024/01/31
12tags:
13 - attack.defense_evasion
14 - attack.t1218.001
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection_img:
20 - OriginalFileName: 'HH.exe'
21 - Image|endswith: '\hh.exe'
22 selection_cli:
23 CommandLine|contains:
24 - 'http://'
25 - 'https://'
26 - '\\\\'
27 condition: all of selection_*
28falsepositives:
29 - Unknown
30level: high
References
-
The Splunk Threat Research Team shares how to identify protocol handlers on an endpoint, different ways to simulate adversary tradecraft that utilizes a protocol handler, and a piece of inspiring hunting content to help defenders identify protocol handlers being used in their environment.
Read More -
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More -
An operational security failure by the North Korean threat actor - APT37, led to the discovery of many previously unknown tools and techniques used by them
Read More
Related rules
- HH.EXE Execution
- HTML Help HH.EXE Suspicious Child Process
- Suspicious HH.EXE Execution
- BITS Transfer Job Download From File Sharing Domains
- Bypass UAC Using SilentCleanup Task