Suspicious HH.EXE Execution
Detects a suspicious execution of a Microsoft HTML Help (HH.exe)
Sigma rule (View on GitHub)
1title: Suspicious HH.EXE Execution
2id: e8a95b5e-c891-46e2-b33a-93937d3abc31
3status: test
4description: Detects a suspicious execution of a Microsoft HTML Help (HH.exe)
5references:
6 - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/
7 - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7
8 - https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/
9 - https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37
10author: Maxim Pavlunin
11date: 2020-04-01
12modified: 2023-04-12
13tags:
14 - attack.defense-evasion
15 - attack.execution
16 - attack.initial-access
17 - attack.t1047
18 - attack.t1059.001
19 - attack.t1059.003
20 - attack.t1059.005
21 - attack.t1059.007
22 - attack.t1218
23 - attack.t1218.001
24 - attack.t1218.010
25 - attack.t1218.011
26 - attack.t1566
27 - attack.t1566.001
28logsource:
29 category: process_creation
30 product: windows
31detection:
32 selection_img:
33 - OriginalFileName: 'HH.exe'
34 - Image|endswith: '\hh.exe'
35 selection_paths:
36 CommandLine|contains:
37 - '.application'
38 - '\AppData\Local\Temp\'
39 - '\Content.Outlook\'
40 - '\Downloads\'
41 - '\Users\Public\'
42 - '\Windows\Temp\'
43 # - '\AppData\Local\Temp\Temp?_'
44 # - '\AppData\Local\Temp\Rar$'
45 # - '\AppData\Local\Temp\7z'
46 # - '\AppData\Local\Temp\wz'
47 # - '\AppData\Local\Temp\peazip-tmp'
48 condition: all of selection_*
49falsepositives:
50 - Unknown
51level: high
References
-
Like good old Microsoft Office Macros, Compiled HTML (CHM) Help files have been utilized by malware authors for more than a decade to sneak malicious downloader code into files making them harder to detect. CHMs are a Microsoft proprietary online...
Read More -
Elastic Security detection content for Endpoint. Contribute to elastic/protections-artifacts development by creating an account on GitHub.
Read More -
The PT Expert Security Center regularly spots emerging threats to information security, including both previously known and newly discovered malware. During such monitoring in May 2020, we detected several samples of new malware that at first glance would seem to belong to the Higaisa group. But detailed analysis pointed to the Winnti group (also known as APT41, per FireEye) of Chinese origin. Subsequent monitoring led us to discover a number of new malware samples used by the group in recent attacks. These include various droppers, loaders, and injectors; Crosswalk, ShadowPad, and PlugX backdoors; and samples of a previously undescribed backdoor that we have dubbed FunnySwitch. We can confidently state that some of these attacks were directed at a number of organizations in Russia and Hong Kong. In this article, we will share the results of our investigation of these samples and related network infrastructure, as well as overlaps with previously described attacks.
Read More -
An operational security failure by the North Korean threat actor - APT37, led to the discovery of many previously unknown tools and techniques used by them
Read More
Related rules
- HTML Help HH.EXE Suspicious Child Process
- File Was Not Allowed To Run
- Potential SquiblyTwo Technique Execution
- Windows Shell/Scripting Processes Spawning Suspicious Programs
- Csc.EXE Execution Form Potentially Suspicious Parent