Detectionlowtest

HH.EXE Execution

Detects the execution of "hh.exe" to open ".chm" files.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

E.M. Anhaus (originally from Atomic Blue Detections, Dan Beavin), oscd.communityCreated Thu Oct 24Updated Mon Dec 1168c8acb4-1b60-4890-8e82-3ddf7a6dba84windows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection_img:
        - OriginalFileName: 'HH.exe'
        - Image|endswith: '\hh.exe'
    selection_cli:
        CommandLine|contains: '.chm'
    condition: all of selection_*

False Positives

False positives are expected with legitimate ".CHM"

References

Resolving title…

github.com

Resolving title…

eqllib.readthedocs.io

Resolving title…

zscaler.com

Testing & Validation

Regression Tests

by SigmaHQ Team

Positive Detection Testevtx

Microsoft-Windows-Sysmon

EVTX JSON

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion

Sub-techniques

T1218.001 · Compiled HTML File

Rule Metadata

Rule ID

68c8acb4-1b60-4890-8e82-3ddf7a6dba84

Status

test

Level

low

Type

Detection

Created

Thu Oct 24

Modified

Mon Dec 11

Author

E.M. Anhaus (originally from Atomic Blue Detections, Dan Beavin), oscd.community

Path

rules/windows/process_creation/proc_creation_win_hh_chm_execution.yml

Raw Tags

attack.defense-evasionattack.t1218.001

View on GitHub