Home/ATT&CK Technique/Compiled HTML File
ATT&CK Technique

Compiled HTML File

T1218.001 · stealth

Adversaries may abuse Compiled HTML files (.chm) to conceal malicious code. CHM files are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations of various content such as HTML documents, images, and scripting/web related programming languages such VBA, JScript, Java, and ActiveX.

CHM content is displayed using underlying components of the Internet Explorer browser loaded by the HTML Help executable program (hh.exe). A custom CHM file containing embedded payloads could be delivered to a victim then triggered by User Execution. CHM execution may also bypass application control on older and/or unpatched systems that do not account for execution of binaries through hh.exe.

Windows

Actors Using This

10
chinaAPT41
chinaEarth Alux
russia_speaking_organized_cybercrimeFIN8
latin_america_brazilian_organized_cybercrimeGuildma / Astaroth
iranMuddyWater
indiaPatchwork
russia_speaking_organized_cybercrimeQakbot / Qbot Operators
indiaSideWinder
russia_speaking_organized_cybercrimeTA505
ransomware_raas_crylock_lineage_uca_taken_down_2023Trigona

Likely Attack Path

Techniques the same actors pair with this one distinctively - those showing up among actors who use this technique noticeably more than across all actors (lift > 1.15), grouped by kill-chain phase. The × is that lift multiplier; the shared-actor count is in the tooltip. A near-universal technique pairs with everything at baseline, so its list is short by design.
execution same
T1559.001 · Component Object Model ×4.33T1569 · System Services ×3.40
persistence same
T1547.009 · Shortcut Modification ×3.66
privilege-escalation same
T1548.002 · Bypass User Account Control ×3.57
discovery same
T1069.001 · Local Groups ×6.49T1497.003 · Time Based Checks ×4.14T1497.001 · System Checks ×3.04
command-and-control same
T1571 · Non-Standard Port ×3.97T1071.004 · DNS ×3.87
exfiltration same
T1030 · Data Transfer Size Limits ×10.20
other same
T1480.001 · Environmental Keying ×8.65T1218.010 · Regsvr32 ×6.35T1480 · Execution Guardrails ×4.53T1070.006 · Timestomp ×3.28T1027.010 · Command Obfuscation ×3.17

Atomic Tests

8
Executable Atomic Red Team test cases for exercising this technique in a lab. Copy a command, run it on the listed platform, confirm your detections fire.
command_promptwindowsCompiled HTML Help Local Payload
Uses hh.exe to execute a local compiled HTML Help payload. Upon execution calc.exe will open 
hh.exe "#{local_chm_file}"
command_promptwindowsCompiled HTML Help Remote Payload
Uses hh.exe to execute a remote compiled HTML Help payload. Upon execution displays an error saying the file cannot be open 
hh.exe #{remote_chm_file}
powershellwindowsInvoke CHM with default Shortcut Command Execution
Executes a CHM file with the default Shortcut Command method.
Invoke-ATHCompiledHelp -HHFilePath #{hh_file_path} -CHMFilePath #{chm_file_path}
powershellwindowsInvoke CHM with InfoTech Storage Protocol Handler
Executes a CHM file with the ITS protocol handler.
Invoke-ATHCompiledHelp -InfoTechStorageHandler #{infotech_storage_handler} -HHFilePath #{hh_file_path} -CHMFilePath #{chm_file_path}
powershellwindowsInvoke CHM Simulate Double click
Executes a CHM file simulating a user double click.
Invoke-ATHCompiledHelp -SimulateUserDoubleClick -CHMFilePath #{chm_file_path}
powershellwindowsInvoke CHM with Script Engine and Help Topic
Executes a CHM file with a defined script engine, ITS Protocol Handler, and help topic extension.
Invoke-ATHCompiledHelp -ScriptEngine #{script_engine} -InfoTechStorageHandler #{infotech_storage_handler} -TopicExtension #{topic_extension} -HHFilePath #{hh_file_path} -CHMFilePath #{chm_file_path}
powershellwindowsInvoke CHM Shortcut Command with ITS and Help Topic
Executes a CHM file using the Shortcut Command method with a defined ITS Protocol Handler, and help topic extension.
Invoke-ATHCompiledHelp -ExecuteShortcutCommand -InfoTechStorageHandler #{infotech_storage_handler} -TopicExtension #{topic_extension} -HHFilePath #{hh_file_path} -CHMFilePath #{chm_file_path}
command_promptwindowsDecompile Local CHM File
Uses hh.exe to decompile a local compiled HTML Help file. Upon successful execution the chm file will decompile to disk. Reference:https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/ 
hh.exe -decompile %temp% "#{local_chm_file}"

Mitigations

2
MITRE ATT&CK mitigations - vendor-agnostic guidance for reducing exposure to this technique.
M1021Restrict Web-Based Content

Restricting web-based content involves enforcing policies and technologies that limit access to potentially malicious websites, unsafe downloads, and unauthorized browser behaviors. This can include URL filtering, download restrictions, script blocking, and extension control to protect against exploitation, phishing, and malware delivery.

Deploy Web Proxy Filtering
  • Use solutions to filter web traffic based on categories, reputation, and content types.
  • Enforce policies that block unsafe websites or file types at the gateway level.
Enable DNS-Based Filtering
  • Implement tools to restrict access to domains associated with malware or phishing campaigns.
  • Use public DNS filtering services to enhance protection.
Enforce Content Security Policies (CSP)
  • Configure CSP headers on internal and external web applications to restrict script execution, iframe embedding, and cross-origin requests.
Control Browser Features
  • Disable unapproved browser features like automatic downloads, developer tools, or unsafe scripting.
  • Enforce policies through tools like Group Policy Management to control browser settings.
Monitor and Alert on Web-Based Threats
  • Use SIEM tools to collect and analyze web proxy logs for signs of anomalous or malicious activity.
  • Configure alerts for access attempts to blocked domains or repeated file download failures.
M1038Execution Prevention

Prevent the execution of unauthorized or malicious code on systems by implementing application control, script blocking, and other execution prevention mechanisms. This ensures that only trusted and authorized code is executed, reducing the risk of malware and unauthorized actions.

Application Control
  • Use Case: Use tools like AppLocker or Windows Defender Application Control (WDAC) to create whitelists of authorized applications and block unauthorized ones. On Linux, use tools like SELinux or AppArmor to define mandatory access control policies for application execution.
  • Implementation: Allow only digitally signed or pre-approved applications to execute on servers and endpoints. (e.g., `New-AppLockerPolicy -PolicyType Enforced -FilePath "C:\Policies\AppLocker.
xml"`) Script Blocking
  • Use Case: Use script control mechanisms to block unauthorized execution of scripts, such as PowerShell or JavaScript. Web Browsers: Use browser extensions or settings to block JavaScript execution from untrusted sources.
  • Implementation: Configure PowerShell to enforce Constrained Language Mode for non-administrator users. (e.g.
, Set-ExecutionPolicy AllSigned) Executable Blocking
  • Use Case: Prevent execution of binaries from suspicious locations, such as %TEMP% or %APPDATA% directories.
  • Implementation: Block execution of .exe, .bat, or .ps1 files from user-writable directories.
Dynamic Analysis Prevention
  • Use Case: Use behavior-based execution prevention tools to identify and block malicious activity in real time.
  • Implemenation: Employ EDR solutions that analyze runtime behavior and block suspicious code execution.

Detection Coverage

2/6 layers
Coverage across standard detection surfaces. Rows marked none have no rule of that type mapped. Some are real blind spots worth closing; others are simply not applicable to this technique (e.g. YARA matches malware files, not network behaviour).
Behavioral / log (Sigma) 5
Analytics (MITRE CAR) 1
Runtime / container (Falco) none
File / malware (YARA) none
Network (Suricata/Snort) none
Vuln scan (Nuclei) none

CAR Analytics

1
MITRE Cyber Analytics Repository - field-tested detection logic for this technique, written as pseudocode/queries you adapt to your own SIEM (Splunk, Sentinel, EQL). Each is a ready starting point for a detection rule, not just a description.
CAR-2020-11-009High coverageCompiled HTML Access

Adversaries may hide malicious code in .chm compiled HTML files. When these files are read, Windows uses the HTML help executable named hh.exe, which is the signature for this analytic.

Pseudocode - Pseudocode - instances of hh.exe
processes = search Process:Create
target_processes = filter processes where (exe="C:\Windows\syswow64\hh.exe" OR exe="C:\Windows\system32\hh.exe")
output target_processes
Splunk - Splunk Search - hh.exe
(index=__your_sysmon_index__ EventCode=1) (Image="C:\\Windows\\syswow64\\hh.exe" OR Image="C:\\Windows\\system32\\hh.exe")
LogPoint - LogPoint Search - hh.exe
norm_id=WindowsSysmon event_id=1 (image="C:\Windows\syswow64\hh.exe" OR image="C:\Windows\system32\hh.exe")

Comply & Defend

NIST 800-53CM-02, CM-06, CM-07, CM-11, SC-18, SI-03, SI-04, SI-07, SI-10, SI-16
D3FEND7 defensive techniques
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE ATT&CKAtomic Red Teamcar (MITRE)
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin