Persistence Via Hhctrl.ocx
Detects when an attacker modifies the registry value of the "hhctrl" to point to a custom binary
Sigma rule (View on GitHub)
1title: Persistence Via Hhctrl.ocx
2id: f10ed525-97fe-4fed-be7c-2feecca941b1
3status: test
4description: Detects when an attacker modifies the registry value of the "hhctrl" to point to a custom binary
5references:
6 - https://persistence-info.github.io/Data/hhctrl.html
7 - https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2022-07-21
10modified: 2023-08-17
11tags:
12 - attack.persistence
13logsource:
14 category: registry_set
15 product: windows
16detection:
17 selection:
18 TargetObject|contains: '\CLSID\{52A2AAAE-085D-4187-97EA-8C30DB990436}\InprocServer32\(Default)'
19 filter:
20 Details: 'C:\Windows\System32\hhctrl.ocx'
21 condition: selection and not filter
22falsepositives:
23 - Unlikely
24level: high
References
-
hhctrl.ocx Location: HKCR\CLSID\{52A2AAAE-085D-4187-97EA-8C30DB990436}\InprocServer32 Classification: Criteria Value Permissions Admin Security context User Persistence type Registry Code type Othe...
Read More -
This is one more about hh.exe program that is used when you open the .chm files. The hh.exe functionality is implemented by the hhctrl.ocx library. When hh.exe is started it tries to find the hhctr...
Read More
Related rules
- A Member Was Added to a Security-Enabled Global Group
- A Member Was Removed From a Security-Enabled Global Group
- A New Trust Was Created To A Domain
- A Security-Enabled Global Group Was Deleted
- AWS ECS Task Definition That Queries The Credential Endpoint