DET0342 Detection of Suspicious Compiled HTML File Execution via hh.exe

Item	Value
ID	DET0342
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1218.001 (Compiled HTML File)

Analytics

Windows

AN0968

Execution of hh.exe to open a .chm file followed by suspicious child processes or script engine invocation (VBScript, JScript, mshta, powershell). Behavior includes loading a CHM file from untrusted locations, or immediately spawning commands indicative of payload execution.

Log Sources

Data Component	Name	Channel
Process Creation (DC0032)	WinEventLog:Sysmon	EventCode=1
File Creation (DC0039)	WinEventLog:Sysmon	EventCode=11
Module Load (DC0016)	WinEventLog:Sysmon	EventCode=7
Network Connection Creation (DC0082)	WinEventLog:Sysmon	EventCode=3, 22

Mutable Elements

Field	Description
CHMPathRegex	Regex matching CHM file locations; tune to exclude trusted internal software help files
ChildProcessList	List of suspicious children of hh.exe (powershell.exe, cmd.exe, mshta.exe, wscript.exe)
NetworkDestinationAllowlist	Filter for legitimate update/help servers accessed by hh.exe
TimeWindow	Threshold time between hh.exe execution and suspicious follow-on activity