sigma-rules/rules/windows/execution_via_compiled_html_file.toml

[metadata]
creation_date = "2020/02/18"
maturity = "production"
updated_date = "2021/02/16"

[rule]
author = ["Elastic"]
description = """
Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal
malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable
program (hh.exe).
"""
false_positives = [
    """
    The HTML Help executable program (hh.exe) runs whenever a user clicks a compiled help (.chm) file or menu item that
    opens the help file inside the Help Viewer. This is not always malicious, but adversaries may abuse this technology
    to conceal malicious code.
    """,
]
index = ["winlogbeat-*", "logs-endpoint.events.*"]
language = "kuery"
license = "Elastic License"
name = "Process Activity via Compiled HTML File"
risk_score = 21
rule_id = "e3343ab9-4245-4715-b344-e11c56b0a47f"
severity = "low"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"]
timestamp_override = "event.ingested"
type = "query"

query = '''
event.category:process and event.type:(start or process_started) and process.name:hh.exe
'''


[[rule.threat]]
framework = "MITRE ATT&CK"

[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1218"
name = "Signed Binary Proxy Execution"
reference = "https://attack.mitre.org/techniques/T1218/"
[[rule.threat.technique.subtechnique]]
id = "T1218.001"
name = "Compiled HTML File"
reference = "https://attack.mitre.org/techniques/T1218/001/"



[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"