Adversaries may abuse Compiled HTML files (.chm) to conceal malicious code. CHM files are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations of various content such as HTML documents, images, and scripting/web related programming languages such VBA, JScript, Java, and ActiveX. (Citation: Microsoft HTML Help May 2018) CHM content is displayed using underlying components of the Internet Explorer browser (Citation: Microsoft HTML Help ActiveX) loaded by the HTML Help executable program (hh.exe). (Citation: Microsoft HTML Help Executable Program)
A custom CHM file containing embedded payloads could be delivered to a victim then triggered by User Execution. CHM execution may also bypass application application control on older and/or unpatched systems that do not account for execution of binaries through hh.exe. (Citation: MsitPros CHM Aug 2017) (Citation: Microsoft CVE-2017-8625 Aug 2017)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1218.001 | Compiled HTML File |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
References
|
| DE.CM-01.05 | Website and service blocking | Mitigates | T1218.001 | Compiled HTML File |
Comments
This diagnostic statement can help prevent adversaries from abusing HTML files by implementing tools and measures to block download/transfer of uncommon file types known to be used in adversary campaigns.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CM-06 | Configuration Settings | mitigates | T1218.001 | Compiled HTML File | |
| SC-18 | Mobile Code | mitigates | T1218.001 | Compiled HTML File | |
| CM-11 | User-installed Software | mitigates | T1218.001 | Compiled HTML File | |
| SI-16 | Memory Protection | mitigates | T1218.001 | Compiled HTML File | |
| SI-10 | Information Input Validation | mitigates | T1218.001 | Compiled HTML File | |
| SI-03 | Malicious Code Protection | mitigates | T1218.001 | Compiled HTML File | |
| SI-07 | Software, Firmware, and Information Integrity | mitigates | T1218.001 | Compiled HTML File | |
| CM-02 | Baseline Configuration | mitigates | T1218.001 | Compiled HTML File | |
| CM-07 | Least Functionality | mitigates | T1218.001 | Compiled HTML File | |
| SI-04 | System Monitoring | mitigates | T1218.001 | Compiled HTML File |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Abuse of functionality | Abuse of functionality. | related-to | T1218.001 | Compiled HTML File |