HTML Help HH.EXE Suspicious Child Process

 1title: HTML Help HH.EXE Suspicious Child Process
 2id: 52cad028-0ff0-4854-8f67-d25dfcbc78b4
 3status: test
 4description: Detects a suspicious child process of a Microsoft HTML Help (HH.exe)
 5references:
 6    - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/
 7    - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7
 8    - https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/
 9    - https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37
10author: Maxim Pavlunin, Nasreddine Bencherchali (Nextron Systems)
11date: 2020/04/01
12modified: 2023/04/12
13tags:
14    - attack.defense_evasion
15    - attack.execution
16    - attack.initial_access
17    - attack.t1047
18    - attack.t1059.001
19    - attack.t1059.003
20    - attack.t1059.005
21    - attack.t1059.007
22    - attack.t1218
23    - attack.t1218.001
24    - attack.t1218.010
25    - attack.t1218.011
26    - attack.t1566
27    - attack.t1566.001
28logsource:
29    category: process_creation
30    product: windows
31detection:
32    selection:
33        ParentImage|endswith: '\hh.exe'
34        Image|endswith:
35            - '\CertReq.exe'
36            - '\CertUtil.exe'
37            - '\cmd.exe'
38            - '\cscript.exe'
39            - '\installutil.exe'
40            - '\MSbuild.exe'
41            - '\MSHTA.EXE'
42            - '\msiexec.exe'
43            - '\powershell.exe'
44            - '\pwsh.exe'
45            - '\regsvr32.exe'
46            - '\rundll32.exe'
47            - '\schtasks.exe'
48            - '\wmic.exe'
49            - '\wscript.exe'
50    condition: selection
51falsepositives:
52    - Unknown
53level: high

References

• CHM Badness Delivers a Banking Trojan

  

  Like good old Microsoft Office Macros, Compiled HTML (CHM) Help files have been utilized by malware authors for more than a decade to sneak malicious downloader code into files making them harder to detect. CHMs are a Microsoft proprietary online...

  
  Read More

• Updating artifacts · elastic/protections-artifacts@7460867

  

  Elastic Security detection content for Endpoint. Contribute to elastic/protections-artifacts development by creating an account on GitHub.

  
  Read More

• Higaisa or Winnti? APT41 backdoors, old and new

  

  Higaisa or Winnti? APT41 backdoors, old and new

  
  Read More

• The Unintentional Leak: A glimpse into the attack vectors of APT37

  

  An operational security failure by the North Korean threat actor - APT37, led to the discovery of many previously unknown tools and techniques used by them

  
  Read More

Related rules

• Suspicious HH.EXE Execution
• File Was Not Allowed To Run
• HackTool - RedMimicry Winnti Playbook Execution
• HackTool - Koadic Execution
• Suspicious HWP Sub Processes