HH.exe LOLBA executing .chm files
Detecting the execution of hh.exe and the follow up activity for downloading or executing second stage payloads. This is based malspam activity delivering Remote Access Trojans via initial .chm payloads.
Sigma rule (View on GitHub)
1title: HH.exe LOLBA executing .chm files
2description: Detecting the execution of hh.exe and the follow up activity for downloading or executing
3 second stage payloads. This is based malspam activity delivering Remote Access Trojans via initial .chm
4 payloads.
5status: experimental
6references:
7 - https://www.virustotal.com/gui/file/f0c20d4ea2e2cc1d3c9df58b1a4854f9e3b761b7cd0c26860559289c74a8d50f/behavior/C2AE
8 - https://tria.ge/220520-cbrbasebb7/behavioral2
9 - https://www.socinvestigation.com/threat-actors-abuse-microsofts-html-help-file-to-deliver-malware/
10author: '@Kostastsale'
11date: 2022/05/24
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection1:
17 ParentImage|endswith:
18 - '\hh.exe'
19 ParentCommandLine|endswith:
20 - '.chm'
21 selection2:
22 Image|endswith:
23 - '\cmd.exe'
24 CommandLine|contains:
25 - ' /c '
26 selection3:
27 Image|endswith:
28 - '\pwsh.exe'
29 - '\powershell.exe'
30 condition: selection1 and (selection2 or selection3)
31falsepositives:
32 - Uknown
33level: high
34tags:
35 - attack.Compiled.HTML.File
36 - attack.T1218.001