-
Notifications
You must be signed in to change notification settings - Fork 327
/
CAR-2020-11-009.yaml
48 lines (48 loc) · 1.55 KB
/
CAR-2020-11-009.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
title: Compiled HTML Access
submission_date: 2020/11/30
information_domain: Host
platforms:
- Windows
subtypes:
- Process
analytic_types:
- TTP
contributors:
- Olaf Hartong
id: CAR-2020-11-009
description: |-
Adversaries may hide malicious code in .chm compiled HTML files. When these files are read, Windows uses the HTML help executable named hh.exe, which is the signature for this analytic.
coverage:
- technique: T1218
tactics:
- TA0005
subtechniques:
- T1218.001
coverage: High
implementations:
- name: Pseudocode - instances of hh.exe
description: This is a pseudocode representation of the below splunk search.
code: |-
processes = search Process:Create
target_processes = filter processes where (exe="C:\Windows\syswow64\hh.exe" OR exe="C:\Windows\system32\hh.exe")
output target_processes
data_model: CAR native
type: Pseudocode
- name: Splunk Search - hh.exe
description: looks all instances of hh.exe
code: |-
(index=__your_sysmon_index__ EventCode=1) (Image="C:\\Windows\\syswow64\\hh.exe" OR Image="C:\\Windows\\system32\\hh.exe")
data_model: Sysmon native
type: Splunk
- name: LogPoint Search - hh.exe
description: looks all instances of hh.exe
code: |-
norm_id=WindowsSysmon event_id=1 (image="C:\Windows\syswow64\hh.exe" OR image="C:\Windows\system32\hh.exe")
data_model: LogPoint native
type: LogPoint
data_model_references:
- process/create/exe
d3fend_mappings:
- iri: d3f:ProcessSpawnAnalysis
id: D3-PSA
label: Process Spawn Analysis