Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0342: Detection of Suspicious Compiled HTML File Execution via hh.exe

This detection strategy matters because it focuses on suspicious use of hh.exe, the Windows HTML Help executable associated through ATT&CK with Compiled HT...

EnterpriseDET0342Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This detection strategy matters because it focuses on suspicious use of hh.exe, the Windows HTML Help executable associated through ATT&CK with Compiled HTML File abuse. For leaders, the practical issue is that a legitimate help-file mechanism can become a hiding place for scriptable content, making it important to know whether endpoint monitoring can distinguish normal help usage from unusual execution patterns.

Executive priority

Prioritize this as a control-validation and evidence question rather than as a standalone incident claim. Security leaders should ask whether the organization can see hh.exe activity, associated .chm file use, parent/child process behavior, and file provenance well enough to support SOC triage and incident response decisions. This is especially relevant to resilience and audit readiness where legitimate Windows components may be abused for stealthy execution.

Technical view

ATT&CK links this detection strategy to T1218.001, Compiled HTML File, in the enterprise domain. The related technique is associated with Windows and the stealth tactic. Because the supplied object has no official description, detection text, tactics, or platform field of its own, teams should validate coverage against the relationship context: suspicious hh.exe execution involving compiled HTML files, unusual parent processes, unexpected child processes, scriptable content behavior, or execution from user-writable/download locations. Tuning should separate routine help-file access from patterns inconsistent with normal enterprise software behavior.

Likely telemetry

  • Endpoint process creation events including hh.exe command line, parent process, child process, user, host, and timestamp
  • File events for .chm creation, download, modification, and execution paths
  • Process ancestry showing whether hh.exe was launched by browsers, email clients, archive tools, office applications, scripting hosts, or normal help workflows
  • Endpoint security alerts or EDR telemetry related to script execution, ActiveX/JScript/VBA/Java-related content, or unusual child processes from hh.exe
  • User and host context to distinguish expected administrative/help activity from anomalous execution

Detection direction

  • Confirm whether process creation logging captures hh.exe with sufficient command-line and parent/child process detail.
  • Baseline normal hh.exe usage in the environment before treating all execution as suspicious, since HTML Help can be legitimate.
  • Prioritize detections where hh.exe interacts with .chm files from user-writable, temporary, download, email, or archive extraction locations.
  • Look for uncommon process ancestry or child process creation associated with hh.exe, while avoiding assumptions not supported by local telemetry.
  • Use the T1218.001 relationship as context for stealth-focused hunting, but do not infer broader technique coverage from this detection strategy alone.

Mitigation priorities

  • Ensure endpoint logging and retention are sufficient to reconstruct hh.exe execution and related file activity.
  • Restrict or monitor execution of compiled HTML files from untrusted or user-writable locations where business operations allow.
  • Review application control, attachment handling, and download controls for .chm files based on organizational need.
  • Prepare SOC playbooks for triaging suspicious hh.exe events, including file source, user intent, process ancestry, and host exposure.
  • Document coverage and gaps as compliance or control evidence, especially where legitimate Windows utilities are in scope for abuse monitoring.
Analyst notes and limits

The source object is a MITRE ATT&CK detection strategy, DET0342, named “Detection of Suspicious Compiled HTML File Execution via hh.exe.” It has no official description or detection content in the supplied fields. The main analytic value comes from its relationship to T1218.001, Compiled HTML File, whose supplied description explains that CHM files are part of Microsoft HTML Help and can contain web/script-related content loaded through Internet Explorer components.

Platforms and tactics are not specified on the detection-strategy object itself. Windows and stealth context come only from the related T1218.001 technique. Local baselining is required to determine what hh.exe behavior is actually suspicious in a given environment. This take does not assert active exploitation, attribution, impact, or guaranteed detection coverage.

Official MITRE ATT&CK definition

Detection of Suspicious Compiled HTML File Execution via hh.exe

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1218.001 Compiled HTML File Sub-technique This object detects Compiled HTML File.
Relationship explorer

All related ATT&CK context

detects · Technique T1218.001: Compiled HTML File Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
9431a6dc00c605e6...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 9431a6dc00c6…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0342
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use