title: Trigger Compiled HTML
status: experimental
description: This detects compiled HTML triggered by HH
references: https://www.bleepingcomputer.com/news/security/ryuk-ransomware-adds-ip-and-computer-name-blacklisting/
date: 2019/08/14
author: Lep
logsource:
  category: process_creation
  product: windows
detection:
  selection1:
    Image_lc: '*\hh.exe'
  condition: selection1
falsepositives:
  - Normal HTML Help File
tags:
  - attack.execution
  - attack.t1223
  - attack.g0050
level: high