title: Suspicious HWP Sub Processes description: Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation status: experimental references: - https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/ - https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1 - https://twitter.com/cyberwar_15/status/1187287262054076416 - https://blog.alyac.co.kr/1901 - https://en.wikipedia.org/wiki/Hangul_(word_processor) tags: - attack.execution - attack.defense_evasion - attack.initial_access - attack.t1059 - attack.t1202 - attack.t1193 - attack.g0032 author: Florian Roth date: 2019/10/24 logsource: category: process_creation product: windows detection: selection: ParentImage: '*\Hwp.exe' Image: '*\gbb.exe' condition: selection falsepositives: - Unknown level: high