LoFP
/
t1218.001
t1218.001
Title
Tags
although unlikely a renamed instance of hh.exe will be used legitimately, filter as needed.
t1218
t1218.001
endpoint
splunk
although unlikely, some legitimate applications (ex. web browsers) may spawn a child process. filter as needed.
t1218
t1218.001
endpoint
splunk
although unlikely, some legitimate applications may retrieve a chm remotely, filter as needed.
t1218
t1218.001
endpoint
splunk
false positives are expected with legitimate \".chm\"
t1218
t1218.001
windows
sigma
it is rare to see instances of infotech storage handlers being used, but it does happen in some legitimate instances. filter as needed.
t1218
t1218.001
endpoint
splunk