Try in Splunk Security Cloud

Description

Monitor and detect techniques used by attackers who leverage the mshta.exe process to execute malicious code.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2021-02-11
  • Author: Michael Haag, Splunk
  • ID: a09db4d1-3827-4833-87b8-3a397e532119

Narrative

Adversaries may abuse Compiled HTML files (.chm) to conceal malicious code. CHM files are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations of various content such as HTML documents, images, and scripting/web related programming languages such VBA, JScript, Java, and ActiveX. CHM content is displayed using underlying components of the Internet Explorer browser loaded by the HTML Help executable program (hh.exe).
HH.exe relies upon hhctrl.ocx to load CHM topics.This will load upon execution of a chm file.
During investigation, review all parallel processes and child processes. It is possible for file modification events to occur and it is best to capture the CHM file and decompile it for further analysis.
Upon usage of InfoTech Storage Handlers, ms-its, its, mk, itss.dll will load.

Detections

Name Technique Type
Detect HTML Help Renamed System Binary Proxy Execution, Compiled HTML File Hunting
Detect HTML Help Spawn Child Process System Binary Proxy Execution, Compiled HTML File TTP
Detect HTML Help URL in Command Line System Binary Proxy Execution, Compiled HTML File TTP
Detect HTML Help Using InfoTech Storage Handlers System Binary Proxy Execution, Compiled HTML File TTP
Windows System Binary Proxy Execution Compiled HTML File Decompile Compiled HTML File, System Binary Proxy Execution TTP
Windows System Binary Proxy Execution Compiled HTML File Decompile Compiled HTML File, System Binary Proxy Execution TTP
Windows System Binary Proxy Execution Compiled HTML File URL In Command Line Compiled HTML File, System Binary Proxy Execution TTP
Windows System Binary Proxy Execution Compiled HTML File Using InfoTech Storage Handlers Compiled HTML File, System Binary Proxy Execution TTP

Reference

source | version: 1