Execution of hh.exe to open a .chm file followed by suspicious child processes or script engine invocation (VBScript, JScript, mshta, powershell). Behavior includes loading a CHM file from untrusted locations, or immediately spawning commands indicative of payload execution.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| Module Load (DC0016) | WinEventLog:Sysmon | EventCode=7 |
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=3 |
| Field | Description |
|---|---|
| CHMPathRegex | Regex matching CHM file locations; tune to exclude trusted internal software help files |
| ChildProcessList | List of suspicious children of hh.exe (powershell.exe, cmd.exe, mshta.exe, wscript.exe) |
| NetworkDestinationAllowlist | Filter for legitimate update/help servers accessed by hh.exe |
| TimeWindow | Threshold time between hh.exe execution and suspicious follow-on activity |