
Summary
This detection rule identifies the execution of the 'hh.exe' application, which is used to open Compiled HTML Help (CHM) files on Windows systems. The rule includes conditions for both the process creation event and the command line arguments used during execution. Specifically, it looks for the executable 'hh.exe' either by its original file name or by its path, while also checking that the command line contains '.chm', indicating that a CHM file is being opened. The rule is designed to help detect potential misuse of CHM files, which can be used in attacks for delivering malicious content. Users should be aware that false positives may occur due to legitimate use cases involving CHM files. Given the low severity level, this rule is useful for maintaining awareness of potential defensive evasion techniques employed by adversaries.
Categories
- Windows
- Endpoint
Data Sources
- Process
ATT&CK Techniques
- T1218.001
Created: 2019-10-24