title: Compiled HTML File
description: Breaking down the below query, the first section will detect Atomic Test
  1 where a malicious chm file spawns a process, whereas the second half of the query
  detects hh.exe loading a remote payloads.
author: keyboardcrunch
date: 10/10/2020
modified: null
mitre:
   tactic: Defense Evasion
   technique: T1218
   subtechnique: 001
operating_system: windows
query: (SrcProcName = "hh.exe" AND EventType = "Open Remote Process Handle") OR (SrcProcName
  = "hh.exe" AND SrcProcCmdLine RegExp "https?:\/\/(www\.)?[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b([-a-zA-Z0-9()@:%_\+.~#?&//=]*)")
false_positives: null
tags: null