HTML Help HH.EXE Suspicious Child Process
Detects a suspicious child process of a Microsoft HTML Help (HH.exe)
Sigma rule (View on GitHub)
1title: HTML Help HH.EXE Suspicious Child Process
2id: 52cad028-0ff0-4854-8f67-d25dfcbc78b4
3status: test
4description: Detects a suspicious child process of a Microsoft HTML Help (HH.exe)
5references:
6 - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/
7 - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7
8 - https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/
9 - https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37
10author: Maxim Pavlunin, Nasreddine Bencherchali (Nextron Systems)
11date: 2020-04-01
12modified: 2023-04-12
13tags:
14 - attack.defense-evasion
15 - attack.execution
16 - attack.initial-access
17 - attack.t1047
18 - attack.t1059.001
19 - attack.t1059.003
20 - attack.t1059.005
21 - attack.t1059.007
22 - attack.t1218
23 - attack.t1218.001
24 - attack.t1218.010
25 - attack.t1218.011
26 - attack.t1566
27 - attack.t1566.001
28logsource:
29 category: process_creation
30 product: windows
31detection:
32 selection:
33 ParentImage|endswith: '\hh.exe'
34 Image|endswith:
35 - '\CertReq.exe'
36 - '\CertUtil.exe'
37 - '\cmd.exe'
38 - '\cscript.exe'
39 - '\installutil.exe'
40 - '\MSbuild.exe'
41 - '\MSHTA.EXE'
42 - '\msiexec.exe'
43 - '\powershell.exe'
44 - '\pwsh.exe'
45 - '\regsvr32.exe'
46 - '\rundll32.exe'
47 - '\schtasks.exe'
48 - '\wmic.exe'
49 - '\wscript.exe'
50 condition: selection
51falsepositives:
52 - Unknown
53level: high
References
Related rules
- Suspicious HH.EXE Execution
- File Was Not Allowed To Run
- Windows Shell/Scripting Processes Spawning Suspicious Programs
- Csc.EXE Execution Form Potentially Suspicious Parent
- Exploited CVE-2020-10189 Zoho ManageEngine