title: Suspicious HWP Sub Processes
ruletype: Sigma
author: Florian Roth
date: 2019/10/24
description: Detects suspicious Hangul Word Processor (Hanword) sub processes that
  could indicate an exploitation
detection:
  SELECTION_1:
    EventID: 1
  SELECTION_2:
    ParentImage: '*\Hwp.exe'
  SELECTION_3:
    Image: '*\gbb.exe'
  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Unknown
id: 023394c4-29d5-46ab-92b8-6a534c6f447b
level: high
logsource:
  category: process_creation
  product: windows
modified: 2021/11/27
references:
- https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/
- https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1
- https://twitter.com/cyberwar_15/status/1187287262054076416
- https://blog.alyac.co.kr/1901
- https://en.wikipedia.org/wiki/Hangul_(word_processor)
status: test
tags:
- attack.initial_access
- attack.t1566.001
- attack.t1193
- attack.execution
- attack.t1203
- attack.t1059.003
- attack.t1059
- attack.g0032