Try in Splunk Security Cloud

Description

Monitor and detect techniques used by attackers who leverage the mshta.exe process to execute malicious code.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2021-02-11
  • Author: Michael Haag, Splunk
  • ID: a09db4d1-3827-4833-87b8-3a397e532119

Narrative

Adversaries may abuse Compiled HTML files (.chm) to conceal malicious code. CHM files are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations of various content such as HTML documents, images, and scripting/web related programming languages such VBA, JScript, Java, and ActiveX. CHM content is displayed using underlying components of the Internet Explorer browser loaded by the HTML Help executable program (hh.exe).
HH.exe relies upon hhctrl.ocx to load CHM topics.This will load upon execution of a chm file.
During investigation, review all parallel processes and child processes. It is possible for file modification events to occur and it is best to capture the CHM file and decompile it for further analysis.
Upon usage of InfoTech Storage Handlers, ms-its, its, mk, itss.dll will load.

Detections

Name Technique Type
Detect HTML Help Renamed Signed Binary Proxy Execution, Compiled HTML File Hunting
Detect HTML Help Spawn Child Process Signed Binary Proxy Execution, Compiled HTML File TTP
Detect HTML Help URL in Command Line Signed Binary Proxy Execution, Compiled HTML File TTP
Detect HTML Help Using InfoTech Storage Handlers Signed Binary Proxy Execution, Compiled HTML File TTP

Reference

source | version: 1