rules/windows/sysmon/win_susp_Compiled_HTML.yml

title: Trigger Compiled HTML
status: experimental
description: This detects compiled HTML triggered by HH
references: https://www.bleepingcomputer.com/news/security/ryuk-ransomware-adds-ip-and-computer-name-blacklisting/
date: 2019/08/14
author: Lep
logsource:
  category: process_creation
  product: windows
detection:
  selection1:
    Image_lc: '*\hh.exe'
  condition: selection1
falsepositives:
  - Normal HTML Help File
tags:
  - attack.execution
  - attack.t1223
  - attack.g0050
level: high
rules for APT32 2019-08-28 10:12:01 +07:00			`title: Trigger Compiled HTML`
			`status: experimental`
			`description: This detects compiled HTML triggered by HH`
			`references: https://www.bleepingcomputer.com/news/security/ryuk-ransomware-adds-ip-and-computer-name-blacklisting/`
			`date: 2019/08/14`
			`author: Lep`
			`logsource:`
process_creation update 2019-08-28 17:13:54 +07:00			`category: process_creation`
rules for APT32 2019-08-28 10:12:01 +07:00			`product: windows`
			`detection:`
			`selection1:`
			`Image_lc: '*\hh.exe'`
			`condition: selection1`
			`falsepositives:`
			`- Normal HTML Help File`
			`tags:`
			`- attack.execution`
process_creation update 2019-08-28 17:13:54 +07:00			`- attack.t1223`
			`- attack.g0050`
end space 2019-08-29 15:43:36 +07:00			`level: high`