{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/chm/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Microsoft Windows"],"_cs_severities":["high"],"_cs_tags":["html-help","chm","lolbas","process-creation"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers may abuse the HTML Help executable (hh.exe) to execute malicious code on a target system. Compiled HTML Help (CHM) files can contain embedded scripts or links to external resources. When a CHM file is opened, hh.exe renders the content, potentially triggering the execution of malicious scripts. This technique is often used to bypass security controls and deliver malware. This behavior is significant as it may indicate an attempt to execute malicious scripts via CHM files, a known technique for bypassing security controls. If confirmed malicious, this could lead to unauthorized code execution, potentially compromising the system. The LOLBAS project documents this use of hh.exe, and it has been observed in use by various threat actors.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious CHM file containing embedded scripts or links.\u003c/li\u003e\n\u003cli\u003eThe CHM file is delivered to the victim via email or other means.\u003c/li\u003e\n\u003cli\u003eThe victim opens the CHM file, which is processed by hh.exe.\u003c/li\u003e\n\u003cli\u003eHh.exe renders the HTML content within the CHM file.\u003c/li\u003e\n\u003cli\u003eThe embedded script (e.g., JavaScript, VBScript) or link is executed.\u003c/li\u003e\n\u003cli\u003eThe script spawns a child process (e.g., cmd.exe, powershell.exe) using ShellExecute or similar methods.\u003c/li\u003e\n\u003cli\u003eThe child process executes arbitrary commands, downloads malware, or performs other malicious actions.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the system or exfiltrates data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this technique can lead to arbitrary code execution, allowing the attacker to compromise the system. This can result in data theft, installation of malware, or further propagation within the network. The number of potential victims is broad, as CHM files can be distributed through various channels. The impact ranges from individual workstation compromise to widespread organizational breaches.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for hh.exe spawning child processes to detect potential malicious activity, as described in the overview.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eDetect HTML Help Spawning CMD\u003c/code\u003e to identify instances of hh.exe spawning command interpreters.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect HTML Help Spawning PowerShell\u003c/code\u003e to detect instances of hh.exe spawning PowerShell processes.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture the necessary process execution data.\u003c/li\u003e\n\u003cli\u003eBlock known malicious CHM files based on file hash (if available from threat intelligence feeds, although none are included here).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-html-help-spawn/","summary":"The execution of hh.exe (HTML Help) spawning a child process indicates the use of a Compiled HTML Help (CHM) file to execute potentially malicious Windows script code.","title":"HTML Help Executable Spawning Child Processes","url":"https://feed.craftedsignal.io/briefs/2024-01-html-help-spawn/"}],"language":"en","title":"CraftedSignal Threat Feed - Chm","version":"https://jsonfeed.org/version/1.1"}