Adversaries may hide malicious code in .chm compiled HTML files. When these files are read, Windows uses the HTML help executable named hh.exe, which is the signature for this analytic.

ATT&CK Detection

Technique Subtechnique(s) Tactic(s) Level of Coverage
Signed Binary Proxy Execution Compiled HTML File Defense Evasion High

Data Model References

Object Action Field
process create exe

Implementations

Pseudocode - instances of hh.exe (Pseudocode, CAR native)

This is a pseudocode representation of the below splunk search.

processes = search Process:Create
target_processes = filter processes where (exe="C:\Windows\syswow64\hh.exe" OR exe="C:\Windows\system32\hh.exe")
output target_processes

Splunk Search - hh.exe (Splunk, Sysmon native)

looks all instances of hh.exe

(index=__your_sysmon_index__ EventCode=1) (Image="C:\\Windows\\syswow64\\hh.exe" OR Image="C:\\Windows\\system32\\hh.exe")

LogPoint Search - hh.exe (Logpoint, LogPoint native)

looks all instances of hh.exe

norm_id=WindowsSysmon event_id=1 (image="C:\Windows\syswow64\hh.exe" OR image="C:\Windows\system32\hh.exe")