HH.exe execution¶

Identifies usage of hh.exe executing recently modified .chm files.

id:	b25aa548-7937-11e9-8f5c-d46d6d62a49e
categories:	detect
confidence:	medium
os:	windows
created:	08/08/2019
updated:	09/26/2019

MITRE ATT&CK™ Mapping¶

tactics:	Defense Evasion, Execution
techniques:	T1223 Compiled HTML File

Query¶

sequence with maxspan=1d
   [file where file_name == "*.chm"]
   [process where subtype.create and process_name == "hh.exe" and command_line == "* *.chm*"]

Detonation¶

Atomic Red Team: T1223

Contributors¶

Dan Beavin