Remote CHM File Download/Execution Via HH.EXE
Detects the usage of "hh.exe" to execute/download remotely hosted ".chm" files.
Sigma rule (View on GitHub)
1title: Remote CHM File Download/Execution Via HH.EXE
2id: f57c58b3-ee69-4ef5-9041-455bf39aaa89
3status: experimental
4description: Detects the usage of "hh.exe" to execute/download remotely hosted ".chm" files.
5references:
6 - https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html
7 - https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md
8 - https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37
9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2022-09-29
11modified: 2024-01-31
12tags:
13 - attack.defense-evasion
14 - attack.t1218.001
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection_img:
20 - OriginalFileName: 'HH.exe'
21 - Image|endswith: '\hh.exe'
22 selection_cli:
23 CommandLine|contains:
24 - 'http://'
25 - 'https://'
26 - '\\\\'
27 condition: all of selection_*
28falsepositives:
29 - Unknown
30level: high
References
Related rules
- HH.EXE Execution
- HTML Help HH.EXE Suspicious Child Process
- Suspicious HH.EXE Execution
- AD Object WriteDAC Access
- ADS Zone.Identifier Deleted By Uncommon Application