CAR-2020-11-009: Compiled HTML Access
Adversaries may hide malicious code in .chm compiled HTML files. When these files are read, Windows uses the HTML help executable named hh.exe, which is the signature for this analytic.
ATT&CK Detections
| Technique | Subtechnique(s) | Tactic(s) | Level of Coverage |
|---|---|---|---|
| System Binary Proxy Execution | Compiled HTML File | Defense Evasion | High |
D3FEND Techniques
| ID | Name |
|---|---|
| D3-PSA | Process Spawn Analysis |
Data Model References
| Object | Action | Field |
|---|---|---|
| process | create | exe |
Implementations
Pseudocode - instances of hh.exe (Pseudocode, CAR native)
This is a pseudocode representation of the below splunk search.
processes = search Process:Create
target_processes = filter processes where (exe="C:\Windows\syswow64\hh.exe" OR exe="C:\Windows\system32\hh.exe")
output target_processes
Splunk Search - hh.exe (Splunk, Sysmon native)
looks all instances of hh.exe
(index=__your_sysmon_index__ EventCode=1) (Image="C:\\Windows\\syswow64\\hh.exe" OR Image="C:\\Windows\\system32\\hh.exe")
LogPoint Search - hh.exe (Logpoint, LogPoint native)
looks all instances of hh.exe
norm_id=WindowsSysmon event_id=1 (image="C:\Windows\syswow64\hh.exe" OR image="C:\Windows\system32\hh.exe")