Esc

Compiled HTML File - T1218.001

(ATT&CK® Technique)

Definition

Adversaries may abuse Compiled HTML files (.chm) to conceal malicious code. CHM files are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations of various content such as HTML documents, images, and scripting/web related programming languages such VBA, JScript, Java, and ActiveX. CHM content is displayed using underlying components of the Internet Explorer browser loaded by the HTML Help executable program (hh.exe).

D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.

        graph LR;

     T1218001["Compiled HTML File"] --> |invokes| CreateFile["Create File"]; class T1218001 OffensiveTechniqueNode;
        class CreateFile ArtifactNode; click CreateFile href "/dao/artifact/d3f:CreateFile";
        click T1218001 href "/offensive-technique/attack/T1218.001/"; click CreateFile href "/dao/artifact/d3f:CreateFile"; T1218001["Compiled HTML File"] --> |invokes| CreateProcess["Create Process"]; class T1218001 OffensiveTechniqueNode;
        class CreateProcess ArtifactNode; click CreateProcess href "/dao/artifact/d3f:CreateProcess";
        click T1218001 href "/offensive-technique/attack/T1218.001/"; click CreateProcess href "/dao/artifact/d3f:CreateProcess";                          SystemCallAnalysis["System Call Analysis"] -->
          | analyzes | CreateProcess["Create Process"];

          SystemCallAnalysis["System Call Analysis"] -.->
            | may-detect | T1218001["Compiled HTML File"] ;
          class SystemCallAnalysis DefensiveTechniqueNode;
          class CreateProcess ArtifactNode;
          click SystemCallAnalysis href "/technique/d3f:SystemCallAnalysis"; SystemCallAnalysis["System Call Analysis"] -->
          | analyzes | CreateFile["Create File"];

          
          class SystemCallAnalysis DefensiveTechniqueNode;
          class CreateFile ArtifactNode;
          click SystemCallAnalysis href "/technique/d3f:SystemCallAnalysis"; ProcessSpawnAnalysis["Process Spawn Analysis"] -->
          | analyzes | CreateProcess["Create Process"];

          ProcessSpawnAnalysis["Process Spawn Analysis"] -.->
            | may-detect | T1218001["Compiled HTML File"] ;
          class ProcessSpawnAnalysis DefensiveTechniqueNode;
          class CreateProcess ArtifactNode;
          click ProcessSpawnAnalysis href "/technique/d3f:ProcessSpawnAnalysis";                                        Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -->
          | restricts | CreateProcess["Create Process"];

          Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -.->
            | may-isolate | T1218001["Compiled HTML File"] ;
          class Hardware-basedProcessIsolation DefensiveTechniqueNode;
          class CreateProcess ArtifactNode;
          click Hardware-basedProcessIsolation href "/technique/d3f:Hardware-basedProcessIsolation"; ExecutableAllowlisting["Executable Allowlisting"] -->
          | filters | CreateProcess["Create Process"];

          ExecutableAllowlisting["Executable Allowlisting"] -.->
            | may-isolate | T1218001["Compiled HTML File"] ;
          class ExecutableAllowlisting DefensiveTechniqueNode;
          class CreateProcess ArtifactNode;
          click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; ExecutableDenylisting["Executable Denylisting"] -->
          | filters | CreateProcess["Create Process"];

          ExecutableDenylisting["Executable Denylisting"] -.->
            | may-isolate | T1218001["Compiled HTML File"] ;
          class ExecutableDenylisting DefensiveTechniqueNode;
          class CreateProcess ArtifactNode;
          click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting";                                        FileCreationAnalysis["File Creation Analysis"] -->
          | analyzes | CreateFile["Create File"];

          FileCreationAnalysis["File Creation Analysis"] -.->
            | may-detect | T1218001["Compiled HTML File"] ;
          class FileCreationAnalysis DefensiveTechniqueNode;
          class CreateFile ArtifactNode;
          click FileCreationAnalysis href "/technique/d3f:FileCreationAnalysis";              SystemCallFiltering["System Call Filtering"] -->
          | filters | CreateProcess["Create Process"];

          SystemCallFiltering["System Call Filtering"] -.->
            | may-isolate | T1218001["Compiled HTML File"] ;
          class SystemCallFiltering DefensiveTechniqueNode;
          class CreateProcess ArtifactNode;
          click SystemCallFiltering href "/technique/d3f:SystemCallFiltering"; SystemCallFiltering["System Call Filtering"] -->
          | filters | CreateFile["Create File"];

          
          class SystemCallFiltering DefensiveTechniqueNode;
          class CreateFile ArtifactNode;
          click SystemCallFiltering href "/technique/d3f:SystemCallFiltering";

json