/
detect_html_help_spawn_child_process.yml
96 lines (96 loc) · 3.67 KB
/
detect_html_help_spawn_child_process.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
name: Detect HTML Help Spawn Child Process
id: 723716de-ee55-4cd4-9759-c44e7e55ba4b
version: 1
date: '2021-02-11'
author: Michael Haag, Splunk
type: TTP
datamodel:
- Endpoint
description: The following analytic identifies hh.exe (HTML Help) execution of a Compiled
HTML Help (CHM) that spawns a child process. This particular technique will load
Windows script code from a compiled help file. CHM files may contain nearly any
file type embedded, but only execute html/htm. Upon a successful execution, the
following script engines may be used for execution - JScript, VBScript, VBScript.Encode,
JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll
loading into hh.exe upon execution. The "htm" and "html" file extensions were the
only extensions observed to be supported for the execution of Shortcut commands
or WSH script code. During investigation, identify script content origination. Review
child process events and investigate further. hh.exe is natively found in C:\Windows\system32
and C:\Windows\syswow64.
search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=hh.exe
by Processes.dest Processes.user Processes.parent_process Processes.process_name
Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_html_help_spawn_child_process_filter`'
how_to_implement: To successfully implement this search you need to be ingesting information
on process that include the name of the process responsible for the changes from
your endpoints into the `Endpoint` datamodel in the `Processes` node.
known_false_positives: Although unlikely, some legitimate applications (ex. web browsers)
may spawn a child process. Filter as needed.
references:
- https://attack.mitre.org/techniques/T1218/001/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md
- https://lolbas-project.github.io/lolbas/Binaries/Hh/
- https://gist.github.com/mgeeky/cce31c8602a144d8f2172a73d510e0e7
- https://cyberforensicator.com/2019/01/20/silence-dissecting-malicious-chm-files-and-performing-forensic-analysis/
tags:
analytic_story:
- Suspicious Compiled HTML Activity
asset_type: Endpoint
automated_detection_testing: passed
cis20:
- CIS 8
confidence: 100
context:
- Source:Endpoint
- Stage:Defense Evasion
dataset:
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.001/atomic_red_team/windows-sysmon.log
impact: 80
kill_chain_phases:
- Actions on Objectives
message: An instance of $parent_process_name$ spawning $process_name$ was identified
on endpoint $dest$ by user $user$ spawning a child process, typically not normal
behavior.
mitre_attack_id:
- T1218
- T1218.001
nist:
- PR.PT
- DE.CM
observable:
- name: user
type: User
role:
- Victim
- name: dest
type: Hostname
role:
- Victim
- name: parent_process_name
type: Parent Process
role:
- Parent Process
- name: process_name
type: Process
role:
- Child Process
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- Processes.dest
- Processes.user
- Processes.parent_process_name
- Processes.parent_process
- Processes.original_file_name
- Processes.process_name
- Processes.process
- Processes.process_id
- Processes.parent_process_path
- Processes.process_path
- Processes.parent_process_id
risk_score: 80
security_domain: endpoint