rules/windows/execution_via_compiled_html_file.toml

[metadata]
creation_date = "2020/02/18"
maturity = "production"
updated_date = "2022/07/20"

[rule]
author = ["Elastic"]
description = """
Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal
malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable
program (hh.exe).
"""
false_positives = [
    """
    The HTML Help executable program (hh.exe) runs whenever a user clicks a compiled help (.chm) file or menu item that
    opens the help file inside the Help Viewer. This is not always malicious, but adversaries may abuse this technology
    to conceal malicious code.
    """,
]
from = "now-9m"
index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
language = "eql"
license = "Elastic License v2"
name = "Process Activity via Compiled HTML File"
note = """## Setup

If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
"""
risk_score = 47
rule_id = "e3343ab9-4245-4715-b344-e11c56b0a47f"
severity = "medium"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"]
timestamp_override = "event.ingested"
type = "eql"

query = '''
process where event.type in ("start", "process_started") and
 process.parent.name : "hh.exe" and
 process.name : ("mshta.exe", "cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe", "cscript.exe", "wscript.exe")
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1204"
name = "User Execution"
reference = "https://attack.mitre.org/techniques/T1204/"
[[rule.threat.technique.subtechnique]]
id = "T1204.002"
name = "Malicious File"
reference = "https://attack.mitre.org/techniques/T1204/002/"


[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1218"
name = "System Binary Proxy Execution"
reference = "https://attack.mitre.org/techniques/T1218/"
[[rule.threat.technique.subtechnique]]
id = "T1218.001"
name = "Compiled HTML File"
reference = "https://attack.mitre.org/techniques/T1218/001/"


[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
Populate rules/ directory. 2020-06-29 22:57:00 -06:00			`[metadata]`
			`creation_date = "2020/02/18"`
			`maturity = "production"`
[Rule Tuning] Missing MITRE ATT&CK Mappings (#2073 ) 2022-07-22 14:30:34 -04:00			`updated_date = "2022/07/20"`
Populate rules/ directory. 2020-06-29 22:57:00 -06:00
			`[rule]`
			`author = ["Elastic"]`
			`description = """`
			`Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal`
			`malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable`
			`program (hh.exe).`
			`"""`
			`false_positives = [`
			`"""`
			`The HTML Help executable program (hh.exe) runs whenever a user clicks a compiled help (.chm) file or menu item that`
			`opens the help file inside the Help Viewer. This is not always malicious, but adversaries may abuse this technology`
			`to conceal malicious code.`
			`""",`
			`]`
[Rule Tuning] Add timestamp_override to all query and non-sequence EQL rules (#945 ) 2021-02-17 19:49:58 -09:00			`from = "now-9m"`
[Rule Tuning] Add windows integration index to rules (#923 ) 2021-01-28 20:53:57 -09:00			`index = ["winlogbeat-", "logs-endpoint.events.", "logs-windows.*"]`
Convert windows rules from KQL to EQL (#1114 ) 2021-04-30 11:21:12 -08:00			`language = "eql"`
Update License to Elastic v2 (#944 ) 2021-03-03 22:12:11 -09:00			`license = "Elastic License v2"`
Populate rules/ directory. 2020-06-29 22:57:00 -06:00			`name = "Process Activity via Compiled HTML File"`
2058 add setup field to metadata (#2061 ) 2022-07-18 15:41:32 -04:00			`note = """## Setup`
Expand timestamp override tests (#1907 ) 2022-04-01 15:27:08 -08:00
			If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
			`"""`
Convert windows rules from KQL to EQL (#1114 ) 2021-04-30 11:21:12 -08:00			`risk_score = 47`
Populate rules/ directory. 2020-06-29 22:57:00 -06:00			`rule_id = "e3343ab9-4245-4715-b344-e11c56b0a47f"`
Convert windows rules from KQL to EQL (#1114 ) 2021-04-30 11:21:12 -08:00			`severity = "medium"`
[Rule Tuning] Tag Categorization Updates (#380 ) 2020-10-26 13:50:45 -05:00			`tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"]`
[Rule Tuning] 7.11.2: Add timestamp_override to all query and non-sequence EQL rules (#948 ) 2021-02-16 10:52:48 -09:00			`timestamp_override = "event.ingested"`
Convert windows rules from KQL to EQL (#1114 ) 2021-04-30 11:21:12 -08:00			`type = "eql"`
Populate rules/ directory. 2020-06-29 22:57:00 -06:00
			`query = '''`
2058 add setup field to metadata (#2061 ) 2022-07-18 15:41:32 -04:00			`process where event.type in ("start", "process_started") and`
			`process.parent.name : "hh.exe" and`
[Rule Tuning] Added Powershell_ise.exe to some rules. (#1566 ) 2021-10-26 10:16:31 -05:00			`process.name : ("mshta.exe", "cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe", "cscript.exe", "wscript.exe")`
Populate rules/ directory. 2020-06-29 22:57:00 -06:00			`'''`


			`[[rule.threat]]`
			`framework = "MITRE ATT&CK"`
[Rule Tuning] Update threat mappings for Windows rules (#1497 ) 2021-09-23 14:08:38 -03:00			`[[rule.threat.technique]]`
			`id = "T1204"`
			`name = "User Execution"`
			`reference = "https://attack.mitre.org/techniques/T1204/"`
Expand timestamp override tests (#1907 ) 2022-04-01 15:27:08 -08:00			`[[rule.threat.technique.subtechnique]]`
			`id = "T1204.002"`
			`name = "Malicious File"`
			`reference = "https://attack.mitre.org/techniques/T1204/002/"`
[Rule Tuning] Update threat mappings for Windows rules (#1497 ) 2021-09-23 14:08:38 -03:00

Populate rules/ directory. 2020-06-29 22:57:00 -06:00
			`[rule.threat.tactic]`
			`id = "TA0002"`
Convert windows rules from KQL to EQL (#1114 ) 2021-04-30 11:21:12 -08:00			`name = "Execution"`
[Rule Tuning] Update threat mappings for Windows rules (#1497 ) 2021-09-23 14:08:38 -03:00			`reference = "https://attack.mitre.org/tactics/TA0002/"`
Populate rules/ directory. 2020-06-29 22:57:00 -06:00			`[[rule.threat]]`
			`framework = "MITRE ATT&CK"`
			`[[rule.threat.technique]]`
[Rule Tuning] Update ATT&CK threat mappings to reflect changes (#706 ) 2020-12-18 12:46:16 -09:00			`id = "T1218"`
[Rule Tuning] Missing MITRE ATT&CK Mappings (#2073 ) 2022-07-22 14:30:34 -04:00			`name = "System Binary Proxy Execution"`
[Rule Tuning] Update threat mappings for Windows rules (#1497 ) 2021-09-23 14:08:38 -03:00			`reference = "https://attack.mitre.org/techniques/T1218/"`
Expand timestamp override tests (#1907 ) 2022-04-01 15:27:08 -08:00			`[[rule.threat.technique.subtechnique]]`
			`id = "T1218.001"`
			`name = "Compiled HTML File"`
			`reference = "https://attack.mitre.org/techniques/T1218/001/"`
[Rule Tuning] Update ATT&CK threat mappings to reflect changes (#706 ) 2020-12-18 12:46:16 -09:00
Populate rules/ directory. 2020-06-29 22:57:00 -06:00

			`[rule.threat.tactic]`
			`id = "TA0005"`
Convert windows rules from KQL to EQL (#1114 ) 2021-04-30 11:21:12 -08:00			`name = "Defense Evasion"`
[Rule Tuning] Update threat mappings for Windows rules (#1497 ) 2021-09-23 14:08:38 -03:00			`reference = "https://attack.mitre.org/tactics/TA0005/"`
Populate rules/ directory. 2020-06-29 22:57:00 -06:00