Process Activity via Compiled HTML File

Elastic Stack Serverless Security

Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe).

Rule type: eql

Rule indices:

winlogbeat-*
logs-endpoint.events.*
logs-windows.*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (https://www.elastic.co/guide/en/elasticsearch/reference/current/common-options.html#date-math[Date Math format], see also Additional look-back time)

Maximum alerts per execution: 100

References: None

Tags:

Elastic
Host
Windows
Threat Detection
Execution

Version: 101

Rule authors:

Elastic

Rule license: Elastic License v2

Investigation guide

Rule query

		process where event.type == "start" and
 process.parent.name : "hh.exe" and
 process.name : ("mshta.exe", "cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe", "cscript.exe", "wscript.exe")

	

Framework: MITRE ATT&CKTM

Tactic:
- Name: Execution
- ID: TA0002
- Reference URL: https://attack.mitre.org/tactics/TA0002/
Technique:
- Name: User Execution
- ID: T1204
- Reference URL: https://attack.mitre.org/techniques/T1204/
Sub-technique:
- Name: Malicious File
- ID: T1204.002
- Reference URL: https://attack.mitre.org/techniques/T1204/002/
Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
Technique:
- Name: System Binary Proxy Execution
- ID: T1218
- Reference URL: https://attack.mitre.org/techniques/T1218/
Sub-technique:
- Name: Compiled HTML File
- ID: T1218.001
- Reference URL: https://attack.mitre.org/techniques/T1218/001/