Remote CHM File Download/Execution Via HH.EXE
Last updated on:
In this page
Rule name | Rule type | Log sources | MITRE ATT&CK tags | Severity |
Remote CHM File Download/Execution Via HH.EXE | Standard | Windows | Defense Evasion: System Binary Proxy Execution - Compiled HTML File (T1218.001) | Trouble |
About the rule
Rule Type
Standard
Rule Description
hh.exe is the Microsoft HTML Help executable, commonly used to display help documentation (.chm files) on Windows systems. Attackers can abuse hh.exe to download and execute remote or malicious CHM files, enabling execution of embedded scripts or code in a manner that may bypass security controls. This rule detects suspicious activity involving hh.exe, such as attempts to open CHM files from remote URLs, unexpected network connections by hh.exe, or use of hh.exe with abnormal command-line arguments.
Severity
Trouble
Rule journey
Attack chain scenario
Initial access → Drive-by download → Remote CHM file download/execution via hh.exe → Command and Control → Impact
Impact
- Defense evasion
- Arbitrary code execution
- Malware delivery and execution
- Data exfiltration
Rule Requirement
Prerequisites
Use the Group Policy Management Console to audit process creation and process termination.
Install Sysmon from Microsoft Sysinternals and download the Sysmon configuration file that includes process creation monitoring. Add network connection events to the configuration file to monitor all network activity.
Create a new registry key "Microsoft-Windows-Sysmon/Operational" in the directory "Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\" if not already created.
Criteria
Action1: actionname = "Process started" AND (ORIGINALFILENAME = "HH.exe" OR PROCESSNAME endswith "\hh.exe") AND COMMANDLINE contains "http://,https://,\" select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME
Detection
Execution Mode
realtime
Log Sources
Windows
MITRE ATT&CK
Defense Evasion: System Binary Proxy Execution - Compiled HTML File (T1218.001)
Security Standards
Enabling this rule will help you meet the security standard's requirement listed below:
DE.CM-01: Networks and network services are monitored to find potentially adverse events.
When this rule is triggered, you’re notified of an attempt by hh.exe to download or execute a remote CHM file, or to launch with suspicious command-line arguments or network activity.
Author
Nasreddine Bencherchali (Nextron Systems)
Future actions
Known False Positives
This rule may trigger when legitimate administrators or support tools access remote documentation using CHM files or during approved software installation/update processes that leverage hh.exe to access custom help files from internal resources. Review the source URLs, command-line context, and timing to confirm legitimacy.
Next Steps
When this rule is triggered, the following measures can be implemented:
- Identification: Identify if the flagged event is a new incident or part of an existing incident.
- Analysis: Analyze the impact and extent of the incident to comprehend the severity of the attack using the Incident Workbench.
- Response: Respond promptly by initiating an automated workflow to interrupt the network connections and cease the malicious process.
- Reconfiguration: Update allowlists for known good internal help file servers, refine detection rules for network origin and path, and continue monitoring for similar executable misuse patterns.
Mitigation
Mitigation ID | Mitigation Name | Mitigation description |
M1038 | Execution Prevention | Consider using application control to prevent execution of hh.exe if it is not required for a given system or network to prevent potential misuse by adversaries. |
M1021 | Restrict Web-Based Content | Consider blocking download/transfer and execution of potentially uncommon file types known to be used in adversary campaigns, such as CHM files |
