Phoenix
Sigma IntelligenceBeta
Back to Rules
Threat Huntmediumtest

HH.EXE Initiated HTTP Network Connection

Detects a network connection initiated by the "hh.exe" process to HTTP destination ports, which could indicate the execution/download of remotely hosted .chm files.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Nasreddine Bencherchali (Nextron Systems)Created Wed Oct 05468a8cea-2920-4909-a593-0cbe1d96674awindows
Hunting Hypothesis
Log Source
WindowsNetwork Connection
ProductWindows← raw: windows
CategoryNetwork Connection← raw: network_connection

Events for outbound and inbound network connections including DNS resolution.

Detection Logic
Detection Logic1 selector
detection:
    selection:
        Image|endswith: '\hh.exe'
        Initiated: 'true'
        DestinationPort:
            - 80
            - 443
    condition: selection
False Positives

False positive is expected from launching "hh.exe" for the first time on a machine in a while or simply from help files containing reference to external sources. Best correlate this with process creation and file events.

References
1
Resolving title…
splunk.com
2
Resolving title…
github.com
MITRE ATT&CK

Other

detection.threat-hunting
Related Rules
DerivedDetectionhigh

Remote CHM File Download/Execution Via HH.EXE

Detects the usage of "hh.exe" to execute/download remotely hosted ".chm" files.

This rule was derived from the related rule - both detect similar activity with different scope.

Rule Metadata
Rule ID
468a8cea-2920-4909-a593-0cbe1d96674a
Status
test
Level
medium
Type
Threat Hunt
Created
Wed Oct 05
Author
Nasreddine Bencherchali (Nextron Systems)
Path
rules-threat-hunting/windows/network_connection/net_connection_win_hh_http_connection.yml
Raw Tags
attack.defense-evasionattack.t1218.001detection.threat-hunting
View on GitHub