{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/html-help-system/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["HTML Help system"],"_cs_severities":["medium"],"_cs_tags":["compiled-html","execution","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe Microsoft HTML Help system uses compiled HTML files (.chm) as part of its normal operation. Adversaries may conceal malicious code within CHM files and deliver them to victims for execution. CHM content is loaded by the HTML Help executable program (hh.exe). This technique allows attackers to proxy the execution of malicious payloads via a signed binary, hh.exe, potentially bypassing security controls and gaining initial access to environments via social engineering. The original Elastic detection rule was created in February 2020 and last updated April 7, 2026. This poses a threat because hh.exe is a legitimate Microsoft signed binary, making it more difficult to detect malicious activity without specific monitoring of its child processes.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious CHM file containing embedded code, such as JavaScript or shellcode.\u003c/li\u003e\n\u003cli\u003eThe attacker delivers the malicious CHM file to the victim, often via phishing or social engineering.\u003c/li\u003e\n\u003cli\u003eThe victim opens the CHM file, which is then processed by \u003ccode\u003ehh.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ehh.exe\u003c/code\u003e process executes the embedded malicious code within the CHM file.\u003c/li\u003e\n\u003cli\u003eThe malicious code spawns a child process, such as \u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e, or \u003ccode\u003emshta.exe\u003c/code\u003e, to execute further commands.\u003c/li\u003e\n\u003cli\u003eThe spawned process executes commands to download and execute a secondary payload, such as malware.\u003c/li\u003e\n\u003cli\u003eThe malware establishes persistence on the system, allowing the attacker to maintain access.\u003c/li\u003e\n\u003cli\u003eThe attacker performs actions on the compromised system, such as data exfiltration or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to execute arbitrary code on the victim's machine, leading to potential data compromise, system infection, and further malicious activity. The use of a signed Microsoft binary (hh.exe) makes detection more difficult, potentially allowing the attacker to operate undetected for a longer period. The impact ranges from single-machine compromise to wider network breaches depending on the attacker's objectives and capabilities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect Compiled HTML File Spawning Scripting Interpreters\u0026quot; to your SIEM and tune for your environment to detect the execution of scripting interpreters by \u003ccode\u003ehh.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003ehh.exe\u003c/code\u003e spawning child processes such as \u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e, and \u003ccode\u003emshta.exe\u003c/code\u003e to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process-creation logging to activate the rules above and ensure comprehensive logging of process activity.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of \u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e, and \u003ccode\u003emshta.exe\u003c/code\u003e by \u003ccode\u003ehh.exe\u003c/code\u003e to prevent exploitation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T14:21:00Z","date_published":"2024-01-02T14:21:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-compiled-html-execution/","summary":"Adversaries may abuse compiled HTML files (.chm) to execute malicious code by proxying execution via hh.exe, often leading to command execution via scripting interpreters.","title":"Execution via Compiled HTML File","url":"https://feed.craftedsignal.io/briefs/2024-01-compiled-html-execution/"}],"language":"en","title":"CraftedSignal Threat Feed - HTML Help System","version":"https://jsonfeed.org/version/1.1"}