<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>HTML Help System - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/html-help-system/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 02 Jan 2024 14:21:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/html-help-system/feed.xml" rel="self" type="application/rss+xml"/><item><title>Execution via Compiled HTML File</title><link>https://feed.craftedsignal.io/briefs/2024-01-compiled-html-execution/</link><pubDate>Tue, 02 Jan 2024 14:21:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-compiled-html-execution/</guid><description>Adversaries may abuse compiled HTML files (.chm) to execute malicious code by proxying execution via hh.exe, often leading to command execution via scripting interpreters.</description><content:encoded><![CDATA[<p>The Microsoft HTML Help system uses compiled HTML files (.chm) as part of its normal operation. Adversaries may conceal malicious code within CHM files and deliver them to victims for execution. CHM content is loaded by the HTML Help executable program (hh.exe). This technique allows attackers to proxy the execution of malicious payloads via a signed binary, hh.exe, potentially bypassing security controls and gaining initial access to environments via social engineering. The original Elastic detection rule was created in February 2020 and last updated April 7, 2026. This poses a threat because hh.exe is a legitimate Microsoft signed binary, making it more difficult to detect malicious activity without specific monitoring of its child processes.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker crafts a malicious CHM file containing embedded code, such as JavaScript or shellcode.</li>
<li>The attacker delivers the malicious CHM file to the victim, often via phishing or social engineering.</li>
<li>The victim opens the CHM file, which is then processed by <code>hh.exe</code>.</li>
<li>The <code>hh.exe</code> process executes the embedded malicious code within the CHM file.</li>
<li>The malicious code spawns a child process, such as <code>cmd.exe</code>, <code>powershell.exe</code>, or <code>mshta.exe</code>, to execute further commands.</li>
<li>The spawned process executes commands to download and execute a secondary payload, such as malware.</li>
<li>The malware establishes persistence on the system, allowing the attacker to maintain access.</li>
<li>The attacker performs actions on the compromised system, such as data exfiltration or lateral movement.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation allows attackers to execute arbitrary code on the victim's machine, leading to potential data compromise, system infection, and further malicious activity. The use of a signed Microsoft binary (hh.exe) makes detection more difficult, potentially allowing the attacker to operate undetected for a longer period. The impact ranges from single-machine compromise to wider network breaches depending on the attacker's objectives and capabilities.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;Detect Compiled HTML File Spawning Scripting Interpreters&quot; to your SIEM and tune for your environment to detect the execution of scripting interpreters by <code>hh.exe</code>.</li>
<li>Monitor process creation events for <code>hh.exe</code> spawning child processes such as <code>cmd.exe</code>, <code>powershell.exe</code>, and <code>mshta.exe</code> to identify potential exploitation attempts.</li>
<li>Enable Sysmon process-creation logging to activate the rules above and ensure comprehensive logging of process activity.</li>
<li>Implement application control policies to restrict the execution of <code>cmd.exe</code>, <code>powershell.exe</code>, and <code>mshta.exe</code> by <code>hh.exe</code> to prevent exploitation.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>compiled-html</category><category>execution</category><category>defense-evasion</category><category>windows</category></item></channel></rss>