EXPLORE
Sign In
← Back to Explore
T1218.001

Compiled HTML File

Adversaries may abuse Compiled HTML files (.chm) to conceal malicious code. CHM files are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations of various content such as HTML documents, images, and scripting/web related programming languages such VBA, JScript, Java, and ActiveX. (Citation: Microsoft HTML Help May 2018) CHM content is displayed using underlying components of the Internet Explorer browser (Citation: Microsoft HTML Help ActiveX) load...

Windows
13
Detections
3
Sources
5
Threat Actors

BY SOURCE

5sigma5splunk_escu3elastic

PROCEDURES (10)

Process Creation Monitoring2 detections

Auto-extracted: 2 detections for process creation monitoring

Child Process2 detections

Auto-extracted: 2 detections for child process

Privilege2 detections

Auto-extracted: 2 detections for privilege

Script Execution Monitoring1 detections

Auto-extracted: 1 detections for script execution monitoring

Remote1 detections

Auto-extracted: 1 detections for remote

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Child Process1 detections

Auto-extracted: 1 detections for child process

Persist1 detections

Auto-extracted: 1 detections for persist

Remote1 detections

Auto-extracted: 1 detections for remote

Network Connection Monitoring1 detections

Auto-extracted: 1 detections for network connection monitoring

THREAT ACTORS (5)

APT38APT41Dark CaracalOilRigSilence

DETECTIONS (13)

Detect HTML Help Renamed
splunk_escu
Detect HTML Help Spawn Child Process
splunk_escu
Detect HTML Help URL in Command Line
splunk_escu
Detect HTML Help Using InfoTech Storage Handlers
splunk_escu
HH.EXE Execution
sigmalow
HTML Help HH.EXE Suspicious Child Process
sigmahigh
Network Connection via Compiled HTML File
elasticlow
OneNote.EXE Execution of Malicious Embedded Scripts
sigmahigh
Process Activity via Compiled HTML File
elasticmedium
Remote CHM File Download/Execution Via HH.EXE
sigmahigh
Suspicious HH.EXE Execution
sigmahigh
Suspicious MS Office Child Process
elasticmedium
Windows System Binary Proxy Execution Compiled HTML File Decompile
splunk_escu