title: Trigger Compiled HTML
status: experimental
description: This detects compiled HTML triggered by HH
references: https://www.bleepingcomputer.com/news/security/ryuk-ransomware-adds-ip-and-computer-name-blacklisting/
date: 2019/08/14
author: Lep
logsource:
  product: windows
  service: sysmon
detection:
  selection1:
    EventID: 1
    Image_lc: '*\hh.exe'
  condition: selection1
falsepositives:
  - Normal HTML Help File
tags:
  - attack.execution
  - attack.T1223
  - attack.G0050
level: high