Suspicious HH.EXE Execution
Detects a suspicious execution of a Microsoft HTML Help (HH.exe)
Sigma rule (View on GitHub)
1title: Suspicious HH.EXE Execution
2id: e8a95b5e-c891-46e2-b33a-93937d3abc31
3status: test
4description: Detects a suspicious execution of a Microsoft HTML Help (HH.exe)
5references:
6 - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/
7 - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7
8 - https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/
9 - https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37
10author: Maxim Pavlunin
11date: 2020-04-01
12modified: 2023-04-12
13tags:
14 - attack.defense-evasion
15 - attack.execution
16 - attack.initial-access
17 - attack.t1047
18 - attack.t1059.001
19 - attack.t1059.003
20 - attack.t1059.005
21 - attack.t1059.007
22 - attack.t1218
23 - attack.t1218.001
24 - attack.t1218.010
25 - attack.t1218.011
26 - attack.t1566
27 - attack.t1566.001
28logsource:
29 category: process_creation
30 product: windows
31detection:
32 selection_img:
33 - OriginalFileName: 'HH.exe'
34 - Image|endswith: '\hh.exe'
35 selection_paths:
36 CommandLine|contains:
37 - '.application'
38 - '\AppData\Local\Temp\'
39 - '\Content.Outlook\'
40 - '\Downloads\'
41 - '\Users\Public\'
42 - '\Windows\Temp\'
43 # - '\AppData\Local\Temp\Temp?_'
44 # - '\AppData\Local\Temp\Rar$'
45 # - '\AppData\Local\Temp\7z'
46 # - '\AppData\Local\Temp\wz'
47 # - '\AppData\Local\Temp\peazip-tmp'
48 condition: all of selection_*
49falsepositives:
50 - Unknown
51level: high
References
Related rules
- HTML Help HH.EXE Suspicious Child Process
- File Was Not Allowed To Run
- Windows Shell/Scripting Processes Spawning Suspicious Programs
- Csc.EXE Execution Form Potentially Suspicious Parent
- Exploited CVE-2020-10189 Zoho ManageEngine