T1218.001 Compiled HTML File Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "hh.exe"
| where ProcessCommandLine has_any (".chm", "ms-its:", "mk:@MSITStore")
| extend SuspiciousChild = InitiatingProcessFileName has_any ("winword.exe", "excel.exe", "outlook.exe", "powerpnt.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe")
| extend NetworkActivity = ProcessCommandLine has "http"
| extend RemoteLoad = ProcessCommandLine has_any ("http://", "https://", "\\\\")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName,
         InitiatingProcessCommandLine, SuspiciousChild, NetworkActivity, RemoteLoad
| sort by Timestamp desc
union (
  DeviceProcessEvents
  | where Timestamp > ago(24h)
  | where InitiatingProcessFileName =~ "hh.exe"
  | where FileName in~ ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe")
  | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
           InitiatingProcessFileName, InitiatingProcessCommandLine
  | sort by Timestamp desc
)

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Legitimate Windows Help files (.chm) launched by system utilities or software installers
IT documentation tools that package help content as CHM files and open them via hh.exe
Software development environments opening SDK or API documentation in CHM format
Help desk software that renders CHM-based knowledge bases

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1)
(Image="*\\hh.exe" OR ParentImage="*\\hh.exe")
| eval SuspiciousParent=if(match(ParentImage, "(winword|excel|outlook|powerpnt|cmd|wscript|cscript|mshta)\.exe"), 1, 0)
| eval RemoteLoad=if(match(CommandLine, "(http[s]?://|\\\\\\\\[a-zA-Z])"), 1, 0)
| eval SuspiciousChild=if(match(Image, "(cmd|powershell|wscript|cscript|mshta|rundll32|regsvr32|certutil)\.exe") AND ParentImage="*\\hh.exe", 1, 0)
| eval RiskScore=SuspiciousParent + RemoteLoad + SuspiciousChild
| where RiskScore > 0 OR ParentImage="*\\hh.exe"
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, SuspiciousParent, RemoteLoad, SuspiciousChild, RiskScore
| sort - _time

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate Windows Help files (.chm) launched by system utilities or software installers
IT documentation tools that package help content as CHM files and open them via hh.exe
Software development environments opening SDK or API documentation in CHM format
Help desk software that renders CHM-based knowledge bases

Elastic Security (EQL)

eql

sequence by host.name with maxspan=30s
  [process where event.type == "start" and
   process.name : "hh.exe" and
   (process.args : ("*.chm", "ms-its:*", "mk:@MSITStore*", "http://*", "https://*", "\\\\*") or
    process.parent.name : ("winword.exe", "excel.exe", "outlook.exe", "powerpnt.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe"))]
  [process where event.type == "start" and
   process.parent.name : "hh.exe" and
   process.name : ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe")]

/* Standalone: hh.exe with suspicious indicators */
process where event.type == "start" and
  process.name : "hh.exe" and
  (
    process.args : ("ms-its:*", "mk:@MSITStore*") or
    process.args : ("http://*", "https://*", "\\\\*") or
    process.parent.name : ("winword.exe", "excel.exe", "outlook.exe", "powerpnt.exe", "wscript.exe", "cscript.exe", "mshta.exe")
  )

high severity high confidence

Data Sources

Elastic Endpoint Security Winlogbeat with Sysmon Elastic Agent (endpoint)

Required Tables

logs-endpoint.events.process-* winlogbeat-*

False Positives

Legitimate Windows Help system invocations where developers or IT staff open .chm documentation files directly from disk without suspicious parents
Helpdesk or IT management tools that bundle CHM-based documentation and launch hh.exe programmatically from known software directories
Software installers that extract and display embedded CHM help files during installation routines — common in older enterprise software suites

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  username,
  "Image" AS process_image,
  "CommandLine" AS command_line,
  "ParentImage" AS parent_image,
  "ParentCommandLine" AS parent_command_line,
  CASE
    WHEN LOWER("ParentImage") SIMILAR TO '%(winword|excel|outlook|powerpnt|wscript|cscript|mshta)\.exe' THEN 1
    ELSE 0
  END AS suspicious_parent,
  CASE
    WHEN "CommandLine" SIMILAR TO '%(http://|https://|\\\\[a-zA-Z])%' THEN 1
    ELSE 0
  END AS remote_load,
  CASE
    WHEN LOWER("Image") SIMILAR TO '%(cmd|powershell|wscript|cscript|mshta|rundll32|regsvr32|certutil)\.exe'
      AND LOWER("ParentImage") SIMILAR TO '%\\hh\.exe' THEN 1
    ELSE 0
  END AS suspicious_child,
  (CASE WHEN LOWER("ParentImage") SIMILAR TO '%(winword|excel|outlook|powerpnt|wscript|cscript|mshta)\.exe' THEN 1 ELSE 0 END +
   CASE WHEN "CommandLine" SIMILAR TO '%(http://|https://|\\\\[a-zA-Z])%' THEN 1 ELSE 0 END +
   CASE WHEN LOWER("Image") SIMILAR TO '%(cmd|powershell|wscript|cscript|mshta|rundll32|regsvr32|certutil)\.exe' AND LOWER("ParentImage") SIMILAR TO '%\\hh\.exe' THEN 1 ELSE 0 END) AS risk_score
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 13, 14, 15)
  AND (
    (LOWER("Image") SIMILAR TO '%\\hh\.exe'
      AND (
        "CommandLine" SIMILAR TO '%(ms-its:|mk:@MSITStore|http://|https://|\\\\[a-zA-Z])%'
        OR LOWER("ParentImage") SIMILAR TO '%(winword|excel|outlook|powerpnt|cmd|wscript|cscript|mshta)\.exe'
      )
    )
    OR (
      LOWER("ParentImage") SIMILAR TO '%\\hh\.exe'
      AND LOWER("Image") SIMILAR TO '%(cmd|powershell|wscript|cscript|mshta|rundll32|regsvr32|certutil)\.exe'
    )
  )
  AND QIDNAME(qid) IN ('Process Launch', 'Process Create', 'Windows Process Created')
ORDER BY starttime DESC
LAST 24 HOURS

high severity medium confidence

Data Sources

QRadar Windows Security Event Log DSM QRadar Microsoft Windows Security Event Log QRadar Sysmon via Windows Event Forwarding

Required Tables

events

False Positives

Enterprise software packages that ship with CHM help documentation and launch hh.exe during installation or when a user clicks the Help menu item
IT asset management or configuration management tools that programmatically invoke hh.exe to display context-sensitive help tied to internal documentation systems
Legacy line-of-business applications built on older Windows SDK patterns that use HtmlHelp() API calls from cmd.exe batch wrapper scripts

Sumo Logic CSE

sql

(_sourceCategory="windows/sysmon" OR _sourceCategory="windows/security" OR _sourceCategory="endpoint/process")
| where EventID in ("1", "4688")
| where (%"Image" matches "*\\hh.exe" OR %"ParentImage" matches "*\\hh.exe")
| if (%"ParentImage" matches "*(winword|excel|outlook|powerpnt|cmd|wscript|cscript|mshta).exe", 1, 0) as suspicious_parent
| if (%"CommandLine" matches "*(http://|https://|ms-its:|mk:@MSITStore)*", 1, 0) as remote_load
| if (
    %"Image" matches "*(cmd|powershell|wscript|cscript|mshta|rundll32|regsvr32|certutil).exe"
    AND %"ParentImage" matches "*\\hh.exe",
    1, 0
  ) as suspicious_child
| toInt(suspicious_parent) + toInt(remote_load) + toInt(suspicious_child) as risk_score
| where risk_score > 0 OR %"ParentImage" matches "*\\hh.exe"
| fields _messageTime, _sourceHost, %"User", %"Image", %"CommandLine", %"ParentImage", %"ParentCommandLine", suspicious_parent, remote_load, suspicious_child, risk_score
| sort by _messageTime desc

high severity medium confidence

Data Sources

Sumo Logic Installed Collector (Windows) Sysmon via Windows Event Forwarding to Sumo Logic Sumo Logic Cloud SIEM Enterprise normalized process events

Required Tables

windows/sysmon windows/security endpoint/process

False Positives

Windows Help system legitimately invoked by users opening .chm files associated with installed applications like Visual Studio, SQL Server Management Studio, or vendor-provided documentation
Software deployment scripts that use cmd.exe to launch hh.exe as part of an automated product tour or onboarding workflow during application setup
Technical writing or documentation toolchains where CHM compilation and preview tools programmatically invoke hh.exe from build automation scripts

Google Chronicle / SecOps

yaral

rule t1218_001_chm_hh_exe_abuse {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects abuse of hh.exe (HTML Help executable) to execute malicious CHM files — T1218.001. Covers execution from suspicious parent processes (Office/scripting engines), remote CHM loading via HTTP or UNC paths, and hh.exe spawning LOLBin child processes."
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1218.001"
    severity = "HIGH"
    confidence = "HIGH"

  events:
    (
      // Pattern 1: hh.exe with suspicious command-line indicators
      $e1.metadata.event_type = "PROCESS_LAUNCH"
      and re.regex($e1.target.process.file.full_path, `(?i)\\hh\.exe$`)
      and (
        re.regex($e1.target.process.command_line, `(?i)(ms-its:|mk:@MSITStore|http://|https://|\\\\[a-zA-Z])`) or
        re.regex($e1.principal.process.file.full_path, `(?i)(winword|excel|outlook|powerpnt|cmd|wscript|cscript|mshta)\.exe$`)
      )
    )
    or
    (
      // Pattern 2: hh.exe spawning suspicious child processes
      $e1.metadata.event_type = "PROCESS_LAUNCH"
      and re.regex($e1.principal.process.file.full_path, `(?i)\\hh\.exe$`)
      and re.regex($e1.target.process.file.full_path, `(?i)(cmd|powershell|wscript|cscript|mshta|rundll32|regsvr32|certutil)\.exe$`)
    )

  match:
    $e1.principal.hostname over 1h

  outcome:
    $risk_score = max(
      if(re.regex($e1.principal.process.file.full_path, `(?i)(winword|excel|outlook|powerpnt|wscript|cscript|mshta)\.exe$`), 40, 0) +
      if(re.regex($e1.target.process.command_line, `(?i)(http://|https://|\\\\[a-zA-Z])`), 40, 0) +
      if(re.regex($e1.target.process.file.full_path, `(?i)(cmd|powershell|wscript|cscript|mshta|rundll32|regsvr32|certutil)\.exe$`) and re.regex($e1.principal.process.file.full_path, `(?i)\\hh\.exe$`), 50, 0)
    )
    $hostname = $e1.principal.hostname
    $user = $e1.principal.user.userid
    $child_process = $e1.target.process.file.full_path
    $cmdline = $e1.target.process.command_line
    $parent_process = $e1.principal.process.file.full_path

  condition:
    $e1
}

high severity high confidence

Data Sources

Google Chronicle UDM (Unified Data Model) Chronicle Endpoint Telemetry via Forwarder Windows Event Logs ingested via Chronicle Windows Sensor

Required Tables

process_launch UDM events

False Positives

Enterprise software that bundles help documentation as CHM files and launches hh.exe from application binaries in signed, known-good installation directories
Administrative tooling like Windows AdminPak or RSAT components that programmatically call hh.exe from management consoles with cmd.exe wrappers
Developer workstations running documentation preview tools or CHM authoring software (e.g., HelpSmith, HelpNDoc) that invoke hh.exe as part of normal preview/build operations

CrowdStrike LogScale (CQL)

cql

// T1218.001 — hh.exe CHM Abuse: Suspicious execution and child process spawning
#event_simpleName = ProcessRollup2
| FileName = /(?i)^hh\.exe$/
  OR ParentBaseFileName = /(?i)^hh\.exe$/
| case {
    ParentBaseFileName = /(?i)(winword|excel|outlook|powerpnt|wscript|cscript|mshta)\.exe$/: SuspiciousParent := 1;
    *: SuspiciousParent := 0;
  }
| case {
    CommandLine = /(?i)(http:\/\/|https:\/\/|ms-its:|mk:@MSITStore|\\\\[a-zA-Z])/: RemoteLoad := 1;
    *: RemoteLoad := 0;
  }
| case {
    FileName = /(?i)(cmd|powershell|wscript|cscript|mshta|rundll32|regsvr32|certutil)\.exe$/ AND ParentBaseFileName = /(?i)^hh\.exe$/: SuspiciousChild := 1;
    *: SuspiciousChild := 0;
  }
| RiskScore := SuspiciousParent + RemoteLoad + SuspiciousChild
| RiskScore > 0 OR ParentBaseFileName = /(?i)^hh\.exe$/
| select([@timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, ParentCommandLine, SuspiciousParent, RemoteLoad, SuspiciousChild, RiskScore])
| sort(field=@timestamp, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection CrowdStrike Falcon Insight EDR CrowdStrike Humio (LogScale) via Falcon Data Replicator

Required Tables

ProcessRollup2

False Positives

Legitimate Windows Help content accessed via hh.exe by users opening vendor-provided .chm documentation bundled with installed software such as AutoCAD, Cisco tools, or legacy ERP systems
IT support scripts that launch hh.exe from cmd.exe to display troubleshooting guides stored on internal UNC network shares as part of helpdesk automation workflows
CHM-based training materials or policy documents opened by users from intranet file shares — the UNC path pattern may trigger RemoteLoad scoring despite being authorized content

Compiled HTML File

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections