Process Activity via Compiled HTML Fileedit
Compiled HTML files (.chm
) are commonly distributed as part of the Microsoft
HTML Help system. Adversaries may conceal malicious code in a CHM file and
deliver it to a victim for execution. CHM content is loaded by the HTML Help
executable program (hh.exe
).
Rule type: query
Rule indices:
- winlogbeat-*
Severity: low
Risk score: 21
Runs every: 5 minutes
Searches indices from: now-6m (Date Math format, see also Additional look-back time
)
Maximum signals per execution: 100
Tags:
- Elastic
- Windows
Version: 2 (version history)
Added (Elastic Stack release): 7.6.0
Last modified (Elastic Stack release): 7.7.0
Potential false positivesedit
The HTML Help executable program (hh.exe
) runs whenever a user clicks a
compiled help (.chm
) file or menu item that opens the help file inside the
Help Viewer. This is not always malicious, but adversaries may abuse this
technology to conceal malicious code.
Rule queryedit
event.code:1 and process.name:hh.exe
Threat mappingedit
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Execution
- ID: TA0002
- Reference URL: https://attack.mitre.org/tactics/TA0002/
-
Technique:
- Name: Compiled HTML File
- ID: T1223
- Reference URL: https://attack.mitre.org/techniques/T1223/
-
Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
-
Technique:
- Name: Compiled HTML File
- ID: T1223
- Reference URL: https://attack.mitre.org/techniques/T1223/
Rule version historyedit
- Version 2 (7.7.0 release)
-
- Formatting only.