Process Activity via Compiled HTML File
editProcess Activity via Compiled HTML File
editCompiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe).
Rule type: eql
Rule indices:
- winlogbeat-*
- logs-endpoint.events.*
- logs-windows.*
Severity: medium
Risk score: 47
Runs every: 5 minutes
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
Tags:
- Elastic
- Host
- Windows
- Threat Detection
- Execution
Version: 13 (version history)
Added (Elastic Stack release): 7.6.0
Last modified (Elastic Stack release): 8.4.0
Rule authors: Elastic
Rule license: Elastic License v2
Potential false positives
editThe HTML Help executable program (hh.exe) runs whenever a user clicks a compiled help (.chm) file or menu item that opens the help file inside the Help Viewer. This is not always malicious, but adversaries may abuse this technology to conceal malicious code.
Investigation guide
editRule query
editprocess where event.type in ("start", "process_started") and process.parent.name : "hh.exe" and process.name : ("mshta.exe", "cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe", "cscript.exe", "wscript.exe")
Threat mapping
editFramework: MITRE ATT&CKTM
-
Tactic:
- Name: Execution
- ID: TA0002
- Reference URL: https://attack.mitre.org/tactics/TA0002/
-
Technique:
- Name: User Execution
- ID: T1204
- Reference URL: https://attack.mitre.org/techniques/T1204/
-
Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
-
Technique:
- Name: System Binary Proxy Execution
- ID: T1218
- Reference URL: https://attack.mitre.org/techniques/T1218/
Rule version history
edit- Version 13 (8.4.0 release)
-
-
Updated query, changed from:
process where event.type in ("start", "process_started") and process.parent.name : "hh.exe" and process.name : ("mshta.exe", "cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe", "cscript.exe", "wscript.exe")
-
- Version 11 (8.2.0 release)
-
- Formatting only
- Version 10 (7.16.0 release)
-
-
Updated query, changed from:
process where event.type in ("start", "process_started") and process.parent.name : "hh.exe" and process.name : ("mshta.exe", "cmd.exe", "powershell.exe", "pwsh.exe", "cscript.exe", "wscript.exe")
-
- Version 8 (7.13.0 release)
-
-
Updated query, changed from:
event.category:process and event.type:(start or process_started) and process.name:hh.exe
-
- Version 7 (7.12.0 release)
-
- Formatting only
- Version 6 (7.11.2 release)
-
- Formatting only
- Version 5 (7.11.0 release)
-
- Formatting only
- Version 4 (7.10.0 release)
-
-
Updated query, changed from:
event.code:1 and process.name:hh.exe
-
- Version 3 (7.9.0 release)
-
- Formatting only
- Version 2 (7.7.0 release)
-
- Formatting only