Suspicious HWP Sub Processes
Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation
Sigma rule (View on GitHub)
1title: Suspicious HWP Sub Processes
2id: 023394c4-29d5-46ab-92b8-6a534c6f447b
3status: test
4description: Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation
5references:
6 - https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/
7 - https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1
8 - https://twitter.com/cyberwar_15/status/1187287262054076416
9 - https://blog.alyac.co.kr/1901
10 - https://en.wikipedia.org/wiki/Hangul_(word_processor)
11author: Florian Roth (Nextron Systems)
12date: 2019/10/24
13modified: 2021/11/27
14tags:
15 - attack.initial_access
16 - attack.t1566.001
17 - attack.execution
18 - attack.t1203
19 - attack.t1059.003
20 - attack.g0032
21logsource:
22 category: process_creation
23 product: windows
24detection:
25 selection:
26 ParentImage|endswith: '\Hwp.exe'
27 Image|endswith: '\gbb.exe'
28 condition: selection
29falsepositives:
30 - Unknown
31level: high
References
Related rules
- Antivirus Exploitation Framework Detection
- Flash Player Update from Suspicious Location
- Powershell Execute Batch Script
- Operator Bloopers Cobalt Strike Commands
- Operator Bloopers Cobalt Strike Modules