T1218.001 CrowdStrike LogScale · LogScale

Detect Compiled HTML File in CrowdStrike LogScale

Adversaries may abuse Compiled HTML files (.chm) to conceal malicious code. CHM files are commonly distributed as part of the Microsoft HTML Help system and are compressed compilations of HTML documents, images, and scripting languages such as VBA, JScript, Java, and ActiveX. CHM content is displayed using underlying components of the Internet Explorer browser loaded by the HTML Help executable program (hh.exe). A custom CHM file containing embedded payloads could be delivered to a victim then triggered by User Execution. CHM execution may also bypass application control on older and/or unpatched systems. Groups known to abuse CHM files include OilRig, Dark Caracal, Silence, APT41, and APT38.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1218 System Binary Proxy Execution
Sub-technique
T1218.001 Compiled HTML File
Canonical reference
https://attack.mitre.org/techniques/T1218/001/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
// T1218.001 — hh.exe CHM Abuse: Suspicious execution and child process spawning
#event_simpleName = ProcessRollup2
| FileName = /(?i)^hh\.exe$/
  OR ParentBaseFileName = /(?i)^hh\.exe$/
| case {
    ParentBaseFileName = /(?i)(winword|excel|outlook|powerpnt|wscript|cscript|mshta)\.exe$/: SuspiciousParent := 1;
    *: SuspiciousParent := 0;
  }
| case {
    CommandLine = /(?i)(http:\/\/|https:\/\/|ms-its:|mk:@MSITStore|\\\\[a-zA-Z])/: RemoteLoad := 1;
    *: RemoteLoad := 0;
  }
| case {
    FileName = /(?i)(cmd|powershell|wscript|cscript|mshta|rundll32|regsvr32|certutil)\.exe$/ AND ParentBaseFileName = /(?i)^hh\.exe$/: SuspiciousChild := 1;
    *: SuspiciousChild := 0;
  }
| RiskScore := SuspiciousParent + RemoteLoad + SuspiciousChild
| RiskScore > 0 OR ParentBaseFileName = /(?i)^hh\.exe$/
| select([@timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, ParentCommandLine, SuspiciousParent, RemoteLoad, SuspiciousChild, RiskScore])
| sort(field=@timestamp, order=desc)
high severity high confidence

CrowdStrike LogScale (Humio) CQL detection for T1218.001 targeting ProcessRollup2 events to identify hh.exe execution abuse. Detects hh.exe launched with CHM protocol handlers (ms-its:, mk:@MSITStore), remote resource loading (HTTP/UNC), or from Office/script interpreter parent processes. Also detects hh.exe spawning high-risk LOLBin children. Composite risk scoring (SuspiciousParent + RemoteLoad + SuspiciousChild) surfaces the highest-fidelity events for triage while preserving all hh.exe parent-child relationships for hunting.

Data Sources

CrowdStrike Falcon Endpoint ProtectionCrowdStrike Falcon Insight EDRCrowdStrike Humio (LogScale) via Falcon Data Replicator

Required Tables

ProcessRollup2

False Positives & Tuning

  • Legitimate Windows Help content accessed via hh.exe by users opening vendor-provided .chm documentation bundled with installed software such as AutoCAD, Cisco tools, or legacy ERP systems
  • IT support scripts that launch hh.exe from cmd.exe to display troubleshooting guides stored on internal UNC network shares as part of helpdesk automation workflows
  • CHM-based training materials or policy documents opened by users from intranet file shares — the UNC path pattern may trigger RemoteLoad scoring despite being authorized content
Download portable Sigma rule (.yml)

Other platforms for T1218.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1CHM Execution via hh.exe with Embedded Script

    Expected signal: Sysmon Event ID 1: Process Create with Image=hh.exe, CommandLine containing 'ms-its:' and '.chm'. Security Event ID 4688 if command line auditing is enabled. Any child process creation (if CHM contains script) will also appear as Sysmon Event ID 1 with ParentImage=hh.exe.

  2. Test 2CHM File Spawning PowerShell

    Expected signal: Sysmon Event ID 1 for hh.exe, then a child Sysmon Event ID 1 for powershell.exe with ParentImage=hh.exe. The suspicious child process relationship is the primary detection indicator. Security Event ID 4688 for both processes if command line auditing is on.

  3. Test 3CHM File Opened from Email Attachment Location

    Expected signal: Sysmon Event ID 11: File Create in the Outlook temp path. Sysmon Event ID 1: hh.exe with the Outlook temp path in its command line. File System: CHM file written to Content.Outlook directory.

Last updated: 2026-04-19 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1218.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1218System Binary Proxy Execution

Related Sub-techniques

T1218.002Control PanelT1218.003CMSTPT1218.004InstallUtilT1218.005MshtaT1218.007MsiexecT1218.008OdbcconfT1218.009Regsvcs/RegasmT1218.010Regsvr32T1218.011Rundll32T1218.012VerclsidT1218.013MavinjectT1218.014MMCT1218.015Electron Applications

Related Techniques

T1218System Binary Proxy ExecutionT1566.001Spearphishing AttachmentT1204.002Malicious FileT1059.007JavaScriptT1059.005Visual BasicT1548.002Bypass User Account ControlT1027.009Embedded PayloadsT1105Ingress Tool Transfer

Same Tactic: Defense Evasion

Popular Detections