HTML Help HH.EXE Suspicious Child Process
Last updated on:
In this page
Rule name | Rule type | Log sources | MITRE ATT&CK tags | Severity |
HTML Help HH.EXE Suspicious Child Process | Standard | Windows | Defense Evasion: System Binary Proxy Execution - Compiled HTML File (T1218.001),"Defense Evasion: System Binary Proxy Execution (T1218)","Defense Evasion: System Binary Proxy Execution - Rundll32 (T1218.011)","Execution: Command and Scripting Interpreter - Windows Command Shell (T1059.003)","Initial Access: Phishing - Spearphishing Attachment (T1566.001)","Execution: Command and Scripting Interpreter - PowerShell (T1059.001)","Initial Access: Phishing (T1566)","Defense Evasion: System Binary Proxy Execution - Regsvr32 (T1218.010)","Execution: Windows Management Instrumentation (T1047)","Execution: Command and Scripting Interpreter - JavaScript (T1059.007)","Execution: Command and Scripting Interpreter - Visual Basic (T1059.005)" | Trouble |
About the rule
Rule Type
Standard
Rule Description
hh.exe is the legitimate Microsoft HTML Help executable, often used by Windows to display .chm (compiled HTML) help files. Attackers exploit hh.exe (a signed, trusted binary) to evade security controls, launching malicious payloads or scripts as child processes under the guise of normal help operations. This rule detects when hh.exe initiates suspicious child processes—such as command interpreters (e.g., cmd.exe, powershell.exe), scripting engines, or uncommon executables.
Severity
Trouble
Rule journey
Attack chain scenario
Initial access → Malicious .chm file → Execution → Abuse of hh.exe → Suspicious child process creation → Command and Control/Impact
Impact
- Defense evasion
- Unauthorized command execution
- Malware deployment
- Persistent access
Rule Requirement
Prerequisites
Use the Group Policy Management Console to audit process creation and process termination.
Install Sysmon from Microsoft Sysinternals and download the Sysmon configuration file that includes process creation monitoring. Add network connection events to the configuration file to monitor all network activity.
Create a new registry key "Microsoft-Windows-Sysmon/Operational" in the directory "Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\" if not already created.
Criteria
Action1: actionname = "Process started" AND PARENTPROCESSNAME endswith "\hh.exe" AND PROCESSNAME endswith "\CertReq.exe,\CertUtil.exe,\cmd.exe,\cscript.exe,\installutil.exe,\MSbuild.exe,\MSHTA.EXE,\msiexec.exe,\powershell.exe,\pwsh.exe,\regsvr32.exe,\rundll32.exe,\schtasks.exe,\wmic.exe,\wscript.exe" select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME
Detection
Execution Mode
realtime
Log Sources
Windows
MITRE ATT&CK
Defense Evasion: System Binary Proxy Execution - Compiled HTML File (T1218.001),"Defense Evasion: System Binary Proxy Execution (T1218)","Defense Evasion: System Binary Proxy Execution - Rundll32 (T1218.011)","Execution: Command and Scripting Interpreter - Windows Command Shell (T1059.003)","Initial Access: Phishing - Spearphishing Attachment (T1566.001)","Execution: Command and Scripting Interpreter - PowerShell (T1059.001)","Initial Access: Phishing (T1566)","Defense Evasion: System Binary Proxy Execution - Regsvr32 (T1218.010)","Execution: Windows Management Instrumentation (T1047)","Execution: Command and Scripting Interpreter - JavaScript (T1059.007)","Execution: Command and Scripting Interpreter - Visual Basic (T1059.005)"
Security Standards
Enabling this rule will help you meet the security standard's requirement listed below:
DE.CM-01: Networks and network services are monitored to find potentially adverse events.
When this rule is triggered, you’re notified that hh.exe has launched a suspicious child process (such as cmd.exe, powershell.exe, or a non-standard executable). This enables you to review the process tree, analyze the parent-child relationship, and quickly spot potentially malicious behavior that leverages a legitimate signed binary for unauthorized execution.
Author
Maxim Pavlunin, Nasreddine Bencherchali (Nextron Systems)
Future actions
Known False Positives
Routine or custom help systems might trigger this rule if software legitimately invokes scripts or utilities via hh.exe. Carefully review the command-line, file paths, and user context for legitimacy before taking remedial action.
Next Steps
When this rule is triggered, the following measures can be implemented:
- Identification: Identify if the flagged event is a new incident or part of an existing incident.
- Analysis: Analyze the impact and extent of the incident to comprehend the severity of the attack using the Incident Workbench.
- Response: Respond promptly by initiating an automated workflow to interrupt the network connections and cease the malicious process.
- Reconfiguration: Adjust or tighten detection rules for legitimate software, update allowlists, and strengthen endpoint monitoring for similar behaviors.
Mitigation
Mitigation ID | Mitigation Name | Mitigation description |
M1038 | Execution Prevention | Use application control where appropriate. |
M1021 | Restrict Web-Based Content | Consider blocking download/transfer and execution of potentially uncommon file types known to be used in adversary campaigns, such as CHM files. |
M1050 | Exploit Protection | Microsoft's Enhanced Mitigation Experience Toolkit (EMET) Attack Surface Reduction (ASR) feature can be used to block methods of using rundll32.exe to bypass application control. |
M1049 | Antivirus/Antimalware | Anti-virus can be used to automatically quarantine suspicious files. |
M1045 | Code Signing | Set PowerShell execution policy to execute only signed scripts. |
M1042 | Disable or Remove Feature or Program | It may be possible to remove PowerShell from systems when not needed, but a review should be performed to assess the impact to an environment, since it could be in use for many legitimate purposes and administrative functions. Disable/restrict the WinRM Service to help prevent uses of PowerShell for remote execution. |
M1026 |
| When PowerShell is necessary, consider restricting PowerShell execution policy to administrators. Be aware that there are methods of bypassing the PowerShell execution policy, depending on environment configuration.(Citation: Netspi PowerShell Execution Policy Bypass) PowerShell JEA (Just Enough Administration) may also be used to sandbox administration and limit what commands admins/users can execute through remote PowerShell sessions.(Citation: Microsoft PS JEA) |
M1040 |
| On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent JavaScript scripts from executing potentially malicious downloaded content (Citation: win10_asr). |
M1047 | Audit | Enable auditing and monitoring for email attachments and file transfers to detect and investigate suspicious activity. Regularly review logs for anomalies related to attachments containing potentially malicious content, as well as any attempts to execute or interact with these files. This practice helps identify spearphishing attempts before they can lead to further compromise. |
M1031 | Network Intrusion Prevention | Network intrusion prevention systems and systems designed to scan and remove malicious email attachments can be used to block activity. |
M1054 | Software Configuration | Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing) |
M1018 | User Account Management | Apply user account management principles to limit permissions for accounts interacting with email attachments, ensuring that only necessary accounts have the ability to open or execute files. Restricting account privileges reduces the potential impact of malicious attachments by preventing unauthorized execution or spread of malware within the environment. |
M1017 | User Training | Users can be trained to identify social engineering techniques and spearphishing emails. |
M1037 |
| Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic. |
