Suspicious HH.EXE Execution

Detects a suspicious execution of a Microsoft HTML Help (HH.exe)

Sigma rule (View on GitHub)

 1title: Suspicious HH.EXE Execution
 2id: e8a95b5e-c891-46e2-b33a-93937d3abc31
 3status: test
 4description: Detects a suspicious execution of a Microsoft HTML Help (HH.exe)
 5references:
 6    - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/
 7    - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7
 8    - https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/
 9    - https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37
10author: Maxim Pavlunin
11date: 2020/04/01
12modified: 2023/04/12
13tags:
14    - attack.defense_evasion
15    - attack.execution
16    - attack.initial_access
17    - attack.t1047
18    - attack.t1059.001
19    - attack.t1059.003
20    - attack.t1059.005
21    - attack.t1059.007
22    - attack.t1218
23    - attack.t1218.001
24    - attack.t1218.010
25    - attack.t1218.011
26    - attack.t1566
27    - attack.t1566.001
28logsource:
29    category: process_creation
30    product: windows
31detection:
32    selection_img:
33        - OriginalFileName: 'HH.exe'
34        - Image|endswith: '\hh.exe'
35    selection_paths:
36        CommandLine|contains:
37            - '.application'
38            - '\AppData\Local\Temp\'
39            - '\Content.Outlook\'
40            - '\Downloads\'
41            - '\Users\Public\'
42            - '\Windows\Temp\'
43            # - '\AppData\Local\Temp\Temp?_'
44            # - '\AppData\Local\Temp\Rar$'
45            # - '\AppData\Local\Temp\7z'
46            # - '\AppData\Local\Temp\wz'
47            # - '\AppData\Local\Temp\peazip-tmp'
48    condition: all of selection_*
49falsepositives:
50    - Unknown
51level: high

References

Related rules

to-top