Potential Persistence Via CHM Helper DLL
Detects when an attacker modifies the registry key "HtmlHelp Author" to achieve persistence
Sigma rule (View on GitHub)
1title: Potential Persistence Via CHM Helper DLL
2id: 976dd1f2-a484-45ec-aa1d-0e87e882262b
3status: test
4description: Detects when an attacker modifies the registry key "HtmlHelp Author" to achieve persistence
5references:
6 - https://persistence-info.github.io/Data/htmlhelpauthor.html
7 - https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2022-07-21
10modified: 2023-08-17
11tags:
12 - attack.persistence
13logsource:
14 category: registry_set
15 product: windows
16detection:
17 selection:
18 TargetObject|contains:
19 - '\Software\Microsoft\HtmlHelp Author\Location'
20 - '\Software\WOW6432Node\Microsoft\HtmlHelp Author\Location'
21 condition: selection
22falsepositives:
23 - Unknown
24level: high
References
-
.chm helper DLL Location: HKCU\Software\Microsoft\HtmlHelp Author Classification: Criteria Value Permissions User Security context User Persistence type Registry Code type DLL Launch type User init...
Read More -
Here’s yet another trick you can use to achieve persistence; this time the DLL of your choice will be loaded anytime the old-school .chm file is opened. While the documentation in this format slowl...
Read More
Related rules
- A Member Was Added to a Security-Enabled Global Group
- A Member Was Removed From a Security-Enabled Global Group
- A New Trust Was Created To A Domain
- A Security-Enabled Global Group Was Deleted
- AWS ECS Task Definition That Queries The Credential Endpoint