Detectionhightest
Suspicious HH.EXE Execution
Detects a suspicious execution of a Microsoft HTML Help (HH.exe)
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic2 selectors
detection:
selection_img:
- OriginalFileName: 'HH.exe'
- Image|endswith: '\hh.exe'
selection_paths:
CommandLine|contains:
- '.application'
- '\AppData\Local\Temp\'
- '\Content.Outlook\'
- '\Downloads\'
- '\Users\Public\'
- '\Windows\Temp\'
# - '\AppData\Local\Temp\Temp?_'
# - '\AppData\Local\Temp\Rar$'
# - '\AppData\Local\Temp\7z'
# - '\AppData\Local\Temp\wz'
# - '\AppData\Local\Temp\peazip-tmp'
condition: all of selection_*False Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
MITRE ATT&CK
Techniques
Rule Metadata
Rule ID
e8a95b5e-c891-46e2-b33a-93937d3abc31
Status
test
Level
high
Type
Detection
Created
Wed Apr 01
Modified
Wed Apr 12
Author
Path
rules/windows/process_creation/proc_creation_win_hh_susp_execution.yml
Raw Tags
attack.defense-evasionattack.executionattack.initial-accessattack.t1047attack.t1059.001attack.t1059.003attack.t1059.005attack.t1059.007attack.t1218attack.t1218.001attack.t1218.010attack.t1218.011attack.t1566attack.t1566.001