T1218.001: Compiled HTML File
| View on MITRE ATT&CK | T1218.001 |
|---|---|
| Tactic(s) | Defense Evasion |
| Associated CAPEC Patterns | Hiding Malicious Data or Code within Files (CAPEC-636) |
Data from MITRE ATT&CK®:
Adversaries may abuse Compiled HTML files (.chm) to conceal malicious code. CHM files are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations of various content such as HTML documents, images, and scripting/web related programming languages such VBA, JScript, Java, and ActiveX. (Citation: Microsoft HTML Help May 2018) CHM content is displayed using underlying components of the Internet Explorer browser (Citation: Microsoft HTML Help ActiveX) loaded by the HTML Help executable program (hh.exe). (Citation: Microsoft HTML Help Executable Program)
A custom CHM file containing embedded payloads could be delivered to a victim then triggered by User Execution. CHM execution may also bypass application application control on older and/or unpatched systems that do not account for execution of binaries through hh.exe. (Citation: MsitPros CHM Aug 2017) (Citation: Microsoft CVE-2017-8625 Aug 2017)
© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
Cyber Threat Graph Context
Explore how this ATT&CK Technique relates to the wider threat graph
Mitigations for this technique
MITRE ATT&CK Mitigations
How to detect this technique
MITRE ATT&CK Data Components
Process Creation (Process)
The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.)Command Execution (Command)
The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )File Creation (File)
Initial construction of a new file (ex: Sysmon EID 11)Control Validation Tests for this Technique
Use Atomic Red Team tests to test your defenses against this technique.
Decompile Local CHM File
Compiled HTML Help Remote Payload
Invoke CHM with Script Engine and Help Topic
Invoke CHM Shortcut Command with ITS and Help Topic
Invoke CHM Simulate Double click
Compiled HTML Help Local Payload
Invoke CHM with default Shortcut Command Execution
Invoke CHM with InfoTech Storage Protocol Handler
Sigma Detections for this Technique
SP800-53 Controls
See which controls can help protect against this MITRE ATT&CK technique. This is based on mappings to associated SP800-53 controls produced by the MITRE Engenuity Center for Threat-Informed Defense.