MaxPatrol SIEM

Detects cyberincidents that undermine cyber resilience of a company

T1218.001: Compiled HTML File

Adversaries may abuse Compiled HTML files (.chm) to conceal malicious code. CHM files are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations of various content such as HTML documents, images, and scripting/web related programming languages such VBA, JScript, Java, and ActiveX. CHM content is displayed using underlying components of the Internet Explorer browser loaded by the HTML Help executable program (hh.exe).

A custom CHM file containing embedded payloads could be delivered to a victim then triggered by User Execution. CHM execution may also bypass application application control on older and/or unpatched systems that do not account for execution of binaries through hh.exe.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

mitre_attck_defense_evasion: PT-CR-317: Malicious_CHM_File: A potentially dangerous help file is opened

Detection

IDDS0009Data source and componentProcess: Process CreationDescription

Monitor and analyze the execution and arguments of hh.exe. Compare recent invocations of hh.exe with prior history of known good arguments to determine anomalous and potentially adversarial activity (ex: obfuscated and/or malicious commands). Non-standard process execution trees may also indicate suspicious or malicious behavior, such as if hh.exe is the parent process for suspicious processes and activity relating to other adversarial techniques.

Note: Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). The Analytic looks for the creation of any HTML Help Executable ( hh.exe ) processes. Adversaries may hide malicious code in .chm compiled help files; whenever a user tries to open one of these files, Windows executes the HTML Help Executable. Therefore, if there are legitimate uses of compiled help files in your environment, this analytic may lead to false positives and will require additional tuning.

Analytic 1 - Compiled HTML Access

(source="*WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="*WinEventLog:Security" EventCode="4688") Image="C:\Windows\syswow64\hh.exe" OR Image="C:\Windows\system32\hh.exe"

IDDS0017Data source and componentCommand: Command ExecutionDescription

Monitor executed commands and arguments that may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate.

IDDS0022Data source and componentFile: File CreationDescription

Monitor presence and use of CHM files, especially if they are not typically used within an environment.

Mitigation

IDM1021NameRestrict Web-Based ContentDescription

Consider blocking download/transfer and execution of potentially uncommon file types known to be used in adversary campaigns, such as CHM files

IDM1038NameExecution PreventionDescription

Consider using application control to prevent execution of hh.exe if it is not required for a given system or network to prevent potential misuse by adversaries.