security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
61afb1c1c0c3f50637b1bb194f3e6fb09f476e50
sigma-rules/rules/windows/execution_via_compiled_html_file.toml
T
Jonhnathan 61afb1c1c0 [Rule Tuning] Update threat mappings for Windows rules (#1497) 
* Windows Rules Att&ck Mapping review

* Bump updated_date and fix reference URLs

* Fix subtechnique

* Fix test errors
2021-09-23 12:08:38 -05:00

76 lines
2.1 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2020/02/18"
maturity = "production"
updated_date = "2021/09/23"
[rule]
author = ["Elastic"]
description = """
Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal
malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable
program (hh.exe).
"""
false_positives = [
"""
The HTML Help executable program (hh.exe) runs whenever a user clicks a compiled help (.chm) file or menu item that
opens the help file inside the Help Viewer. This is not always malicious, but adversaries may abuse this technology
to conceal malicious code.
""",
]
from = "now-9m"
index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
language = "eql"
license = "Elastic License v2"
name = "Process Activity via Compiled HTML File"
risk_score = 47
rule_id = "e3343ab9-4245-4715-b344-e11c56b0a47f"
severity = "medium"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where event.type in ("start", "process_started") and
process.parent.name : "hh.exe" and
process.name : ("mshta.exe", "cmd.exe", "powershell.exe", "pwsh.exe", "cscript.exe", "wscript.exe")
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1204"
name = "User Execution"
reference = "https://attack.mitre.org/techniques/T1204/"
[[rule.threat.technique.subtechnique]]
id = "T1204.002"
name = "Malicious File"
reference = "https://attack.mitre.org/techniques/T1204/002/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1218"
name = "Signed Binary Proxy Execution"
reference = "https://attack.mitre.org/techniques/T1218/"
[[rule.threat.technique.subtechnique]]
id = "T1218.001"
name = "Compiled HTML File"
reference = "https://attack.mitre.org/techniques/T1218/001/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
Reference in New Issue View Git Blame Copy Permalink