Monitor and detect techniques used by attackers who leverage the mshta.exe process to execute malicious code.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Endpoint, Endpoint_Processes
- Last Updated: 2021-02-11
- Author: Michael Haag, Splunk
- ID: a09db4d1-3827-4833-87b8-3a397e532119
Adversaries may abuse Compiled HTML files (.chm) to conceal malicious code. CHM files are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations of various content such as HTML documents, images, and scripting/web related programming languages such VBA, JScript, Java, and ActiveX. CHM content is displayed using underlying components of the Internet Explorer browser loaded by the HTML Help executable program (hh.exe).
HH.exe relies upon hhctrl.ocx to load CHM topics.This will load upon execution of a chm file.
During investigation, review all parallel processes and child processes. It is possible for file modification events to occur and it is best to capture the CHM file and decompile it for further analysis.
Upon usage of InfoTech Storage Handlers, ms-its, its, mk, itss.dll will load.
source | version: 1