From edb52e098a2a45044b04900bfce3f7a5478b3b4e Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@bsk-consulting.de>
Date: Fri, 4 Aug 2017 09:18:26 +0200
Subject: [PATCH] Extended hh.exe in Office Shell detection
 https://www.hybrid-analysis.com/sample/6abc2b63f1865a847ff7f5a9d49bb944397b36f5503b9718d6f91f93d60f7cd7?environmentId=100

---
 rules/windows/sysmon/sysmon_office_shell.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/rules/windows/sysmon/sysmon_office_shell.yml b/rules/windows/sysmon/sysmon_office_shell.yml
index 838bb5543..7c6cffa86 100644
--- a/rules/windows/sysmon/sysmon_office_shell.yml
+++ b/rules/windows/sysmon/sysmon_office_shell.yml
@@ -23,6 +23,7 @@ detection:
             - '*\sh.exe'
             - '*\bash.exe'
             - '*\scrcons.exe'
+            - '*\hh.exe'  # see https://www.hybrid-analysis.com/sample/6abc2b63f1865a847ff7f5a9d49bb944397b36f5503b9718d6f91f93d60f7cd7?environmentId=100
     condition: selection
 falsepositives:
     - unknown