{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/html-help/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["HTML Help"],"_cs_severities":["medium"],"_cs_tags":["execution","defense-evasion","command-and-control","malicious-file","html-help"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAdversaries may conceal malicious code in a compiled HTML file (.chm) and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe). Attackers can use CHM files to proxy the execution of malicious payloads via a signed binary to bypass security controls, and also to gain initial access to environments via social engineering methods. This rule identifies network connections done by hh.exe, which can potentially indicate abuse to download malicious files or tooling, or masquerading. The detection logic focuses on network connections originating from hh.exe to external IPs, excluding private or reserved IP ranges.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe user receives a compiled HTML file (.chm), often through social engineering tactics such as phishing.\u003c/li\u003e\n\u003cli\u003eThe user opens the .chm file, which is then executed by the HTML Help executable (hh.exe).\u003c/li\u003e\n\u003cli\u003eThe hh.exe process loads and renders the HTML content within the .chm file.\u003c/li\u003e\n\u003cli\u003eEmbedded within the HTML content is malicious JavaScript or other scripting code.\u003c/li\u003e\n\u003cli\u003eThe malicious script executes, initiating a network connection via hh.exe to an external server.\u003c/li\u003e\n\u003cli\u003eThe external server hosts a malicious payload, such as a reverse shell or an executable file.\u003c/li\u003e\n\u003cli\u003eHh.exe downloads the malicious payload to the victim\u0026rsquo;s machine.\u003c/li\u003e\n\u003cli\u003eThe downloaded payload is executed, granting the attacker initial access or performing other malicious actions like data exfiltration or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to initial access to a victim\u0026rsquo;s system, potentially bypassing security controls through a signed Microsoft binary. This can result in the download and execution of arbitrary payloads, leading to data exfiltration, lateral movement within the network, or installation of malware. The exploitation can spread rapidly through social engineering, affecting multiple users within an organization. While the severity is rated as medium, the potential for escalation to a critical compromise is high if the attacker gains a foothold in the environment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process and network monitoring on Windows endpoints, focusing on hh.exe activity (Data Source: Elastic Defend, Sysmon, SentinelOne).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eNetwork Connection via Compiled HTML File\u003c/code\u003e to your SIEM and tune for your environment to detect suspicious network connections initiated by hh.exe.\u003c/li\u003e\n\u003cli\u003eMonitor for hh.exe spawning child processes, which could indicate the execution of downloaded payloads. Create a Sigma rule to detect such events.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of a compromised host and restrict lateral movement.\u003c/li\u003e\n\u003cli\u003eConduct regular security awareness training to educate users about the risks of opening unsolicited .chm files.\u003c/li\u003e\n\u003cli\u003eInspect the digital signatures of hh.exe and other system binaries to ensure their integrity and authenticity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T17:00:00Z","date_published":"2024-01-03T17:00:00Z","id":"/briefs/2024-01-hh-exe-network-connection/","summary":"This rule detects network connections initiated by hh.exe, the HTML Help executable, which may indicate the execution of malicious code embedded in compiled HTML files (.chm) to deliver malicious payloads, bypass security controls, and gain initial access via social engineering.","title":"Network Connection via Compiled HTML File","url":"https://feed.craftedsignal.io/briefs/2024-01-hh-exe-network-connection/"}],"language":"en","title":"CraftedSignal Threat Feed — HTML Help","version":"https://jsonfeed.org/version/1.1"}