Detect Compiled HTML File in Google Chronicle
Adversaries may abuse Compiled HTML files (.chm) to conceal malicious code. CHM files are commonly distributed as part of the Microsoft HTML Help system and are compressed compilations of HTML documents, images, and scripting languages such as VBA, JScript, Java, and ActiveX. CHM content is displayed using underlying components of the Internet Explorer browser loaded by the HTML Help executable program (hh.exe). A custom CHM file containing embedded payloads could be delivered to a victim then triggered by User Execution. CHM execution may also bypass application control on older and/or unpatched systems. Groups known to abuse CHM files include OilRig, Dark Caracal, Silence, APT41, and APT38.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1218 System Binary Proxy Execution
- Sub-technique
- T1218.001 Compiled HTML File
- Canonical reference
- https://attack.mitre.org/techniques/T1218/001/
YARA-L Detection Query
rule t1218_001_chm_hh_exe_abuse {
meta:
author = "Argus Detection Engineering"
description = "Detects abuse of hh.exe (HTML Help executable) to execute malicious CHM files — T1218.001. Covers execution from suspicious parent processes (Office/scripting engines), remote CHM loading via HTTP or UNC paths, and hh.exe spawning LOLBin child processes."
mitre_attack_tactic = "Defense Evasion"
mitre_attack_technique = "T1218.001"
severity = "HIGH"
confidence = "HIGH"
events:
(
// Pattern 1: hh.exe with suspicious command-line indicators
$e1.metadata.event_type = "PROCESS_LAUNCH"
and re.regex($e1.target.process.file.full_path, `(?i)\\hh\.exe$`)
and (
re.regex($e1.target.process.command_line, `(?i)(ms-its:|mk:@MSITStore|http://|https://|\\\\[a-zA-Z])`) or
re.regex($e1.principal.process.file.full_path, `(?i)(winword|excel|outlook|powerpnt|cmd|wscript|cscript|mshta)\.exe$`)
)
)
or
(
// Pattern 2: hh.exe spawning suspicious child processes
$e1.metadata.event_type = "PROCESS_LAUNCH"
and re.regex($e1.principal.process.file.full_path, `(?i)\\hh\.exe$`)
and re.regex($e1.target.process.file.full_path, `(?i)(cmd|powershell|wscript|cscript|mshta|rundll32|regsvr32|certutil)\.exe$`)
)
match:
$e1.principal.hostname over 1h
outcome:
$risk_score = max(
if(re.regex($e1.principal.process.file.full_path, `(?i)(winword|excel|outlook|powerpnt|wscript|cscript|mshta)\.exe$`), 40, 0) +
if(re.regex($e1.target.process.command_line, `(?i)(http://|https://|\\\\[a-zA-Z])`), 40, 0) +
if(re.regex($e1.target.process.file.full_path, `(?i)(cmd|powershell|wscript|cscript|mshta|rundll32|regsvr32|certutil)\.exe$`) and re.regex($e1.principal.process.file.full_path, `(?i)\\hh\.exe$`), 50, 0)
)
$hostname = $e1.principal.hostname
$user = $e1.principal.user.userid
$child_process = $e1.target.process.file.full_path
$cmdline = $e1.target.process.command_line
$parent_process = $e1.principal.process.file.full_path
condition:
$e1
}Chronicle YARA-L 2.0 rule detecting T1218.001 CHM file abuse through hh.exe. Two detection patterns are unified: (1) hh.exe launched with ms-its:/mk:@MSITStore protocols, HTTP/UNC remote paths, or from Office/scripting parent processes; (2) hh.exe acting as a parent to LOLBin processes such as powershell.exe, cmd.exe, or certutil.exe. A composite outcome risk score of 0–130 is computed per host to aid analyst triage in the Chronicle SIEM interface.
Data Sources
Required Tables
False Positives & Tuning
- Enterprise software that bundles help documentation as CHM files and launches hh.exe from application binaries in signed, known-good installation directories
- Administrative tooling like Windows AdminPak or RSAT components that programmatically call hh.exe from management consoles with cmd.exe wrappers
- Developer workstations running documentation preview tools or CHM authoring software (e.g., HelpSmith, HelpNDoc) that invoke hh.exe as part of normal preview/build operations
Other platforms for T1218.001
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1CHM Execution via hh.exe with Embedded Script
Expected signal: Sysmon Event ID 1: Process Create with Image=hh.exe, CommandLine containing 'ms-its:' and '.chm'. Security Event ID 4688 if command line auditing is enabled. Any child process creation (if CHM contains script) will also appear as Sysmon Event ID 1 with ParentImage=hh.exe.
- Test 2CHM File Spawning PowerShell
Expected signal: Sysmon Event ID 1 for hh.exe, then a child Sysmon Event ID 1 for powershell.exe with ParentImage=hh.exe. The suspicious child process relationship is the primary detection indicator. Security Event ID 4688 for both processes if command line auditing is on.
- Test 3CHM File Opened from Email Attachment Location
Expected signal: Sysmon Event ID 11: File Create in the Outlook temp path. Sysmon Event ID 1: hh.exe with the Outlook temp path in its command line. File System: CHM file written to Content.Outlook directory.
References (7)
- https://attack.mitre.org/techniques/T1218/001/
- https://oddvar.moe/2017/08/13/bypassing-device-guard-umci-using-chm-cve-2017-8625/
- https://docs.microsoft.com/previous-versions/windows/desktop/htmlhelp/microsoft-html-help-1-4-sdk
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md
- https://www.trendmicro.com/en_us/research.html
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8625
- https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
Unlock Pro Content
Get the full detection package for T1218.001 including response playbook, investigation guide, and atomic red team tests.