Attack Chain

1. The attacker crafts a malicious .chm file containing embedded malicious code, such as a PowerShell script or executable.
2. The attacker delivers the .chm file to the victim via social engineering, such as phishing or malicious websites.
3. The victim opens the .chm file, causing hh.exe to launch.
4. hh.exe processes the .chm file, rendering its content, which includes the embedded malicious script or executable.
5. The malicious code executes, often spawning a scripting interpreter like powershell.exe or cmd.exe.
6. The scripting interpreter executes commands to download additional payloads or perform malicious actions on the system.
7. The attacker gains initial access to the victim’s system.
8. The attacker escalates privileges and moves laterally within the network.

Impact

Successful exploitation can lead to initial access, code execution, and potentially full system compromise. This can result in data theft, malware installation, and further lateral movement within the network. The severity and impact depend on the permissions of the user running hh.exe and the nature of the malicious payload.

Recommendation

• Deploy the Sigma rule “Compiled HTML File Spawning Suspicious Processes” to your SIEM to detect instances where hh.exe is the parent process of scripting interpreters.
• Enable Sysmon process creation logging to provide the necessary data for the Sigma rule to function correctly.
• Monitor process execution chains for unknown processes originating from hh.exe, as mentioned in the investigation guide.
• Implement email filtering and security awareness training to prevent users from opening malicious .chm files delivered via phishing.
• Block the execution of unsigned or untrusted executables in the environment to reduce the risk of malicious code execution.
• Use endpoint detection and response (EDR) solutions like Elastic Defend, CrowdStrike, Microsoft Defender XDR, and SentinelOne to detect and respond to malicious activity.