![]() Non-standard process execution trees may also indicate suspicious or malicious behavior, such as if hh.exe is the parent process for suspicious processes and activity relating to other adversarial techniques.Create your first CHM help or CHM ebook files in 10 seconds with Easy CHM.Īutomatically create a context-sensitive html help file. Compare recent invocations of hh.exe with prior history of known good arguments to determine anomalous and potentially adversarial activity (ex: obfuscated and/or malicious commands). Monitor and analyze the execution and arguments of hh.exe. Monitor presence and use of CHM files, especially if they are not typically used within an environment. Monitor executed commands and arguments that may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate. Ĭonsider using application control to prevent execution of hh.exe if it is not required for a given system or network to prevent potential misuse by adversaries.Ĭonsider blocking download/transfer and execution of potentially uncommon file types known to be used in adversary campaigns, such as CHM files Silence has weaponized CHM files in their phishing campaigns. OilRig has used a CHM payload to load and execute another malicious file once delivered to a victim. ĭark Caracal leveraged a compiled HTML file that contained a command to download and run an executable. Īstaroth uses ActiveX objects for file execution and manipulation. ĪPT41 used compiled HTML (.chm) files for targeting. APT38 has used CHM files to move concealed payloads.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |