HH.exe execution¶
Identifies usage of hh.exe executing recently modified .chm files.
id: | b25aa548-7937-11e9-8f5c-d46d6d62a49e |
---|---|
categories: | detect |
confidence: | medium |
os: | windows |
created: | 08/08/2019 |
updated: | 09/26/2019 |
MITRE ATT&CK™ Mapping¶
tactics: | Defense Evasion, Execution |
---|---|
techniques: | T1223 Compiled HTML File |
Query¶
sequence with maxspan=1d
[file where file_name == "*.chm"]
[process where subtype.create and process_name == "hh.exe" and command_line == "* *.chm*"]