The hypothesis detects an adversary modifying the registry to redirect the “hhctrl” entry to a malicious binary, indicating persistence via a custom payload to maintain access. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify stealthy persistence mechanisms often used in advanced threats that evade traditional detection.
title: Persistence Via Hhctrl.ocx
id: f10ed525-97fe-4fed-be7c-2feecca941b1
status: test
description: Detects when an attacker modifies the registry value of the "hhctrl" to point to a custom binary
references:
- https://persistence-info.github.io/Data/hhctrl.html
- https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-21
modified: 2023-08-17
tags:
- attack.persistence
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\CLSID\{52A2AAAE-085D-4187-97EA-8C30DB990436}\InprocServer32\(Default)'
filter:
Details: 'C:\Windows\System32\hhctrl.ocx'
condition: selection and not filter
falsepositives:
- Unlikely
level: high
imRegistry
| where RegistryKey contains "\\CLSID\\{52A2AAAE-085D-4187-97EA-8C30DB990436}\\InprocServer32\\(Default)" and (not(RegistryValueData =~ "C:\\Windows\\System32\\hhctrl.ocx"))DeviceRegistryEvents
| where RegistryKey contains "\\CLSID\\{52A2AAAE-085D-4187-97EA-8C30DB990436}\\InprocServer32\\(Default)" and (not(RegistryValueData =~ "C:\\Windows\\System32\\hhctrl.ocx"))| Sentinel Table | Notes |
|---|---|
imRegistry | Ensure this data connector is enabled |