Detectionhightest

Persistence Via Hhctrl.ocx

Detects when an attacker modifies the registry value of the "hhctrl" to point to a custom binary

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Nasreddine Bencherchali (Nextron Systems)Created Thu Jul 21Updated Thu Aug 17f10ed525-97fe-4fed-be7c-2feecca941b1windows

Log Source

WindowsRegistry Set

ProductWindows← raw: windows

CategoryRegistry Set← raw: registry_set

Detection Logic

detection:
    selection:
        TargetObject|contains: '\CLSID\{52A2AAAE-085D-4187-97EA-8C30DB990436}\InprocServer32\(Default)'
    filter:
        Details: 'C:\Windows\System32\hhctrl.ocx'
    condition: selection and not filter

False Positives

Unlikely

False positives are unlikely for most environments. High confidence detection.

References

Resolving title…

persistence-info.github.io

Resolving title…

hexacorn.com

MITRE ATT&CK

Tactics

TA0003 · Persistence

Rule Metadata

Rule ID

f10ed525-97fe-4fed-be7c-2feecca941b1

Status

test

Level

high

Type

Detection

Created

Thu Jul 21

Modified

Thu Aug 17

Author

Nasreddine Bencherchali (Nextron Systems)

Path

rules/windows/registry/registry_set/registry_set_hhctrl_persistence.yml

Raw Tags

attack.persistence

View on GitHub