Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
|
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
System Binary Proxy Execution: Compiled HTML File (T1218.001) |
Severity |
Low |
Description
A compiled HTML help file wrote a script file to the disk. Compiled HTLM help files usually don't write script files to the disk. This behavior is often employed by malware that leverage malicious CHM files to deliver a 2nd stage payload.
Attacker's Goals
Deliver a 2nd stage payload or to avoid detection.
Investigative actions
- Check whether the initiator process is benign or normal for the host and/or user performing it.
- Check the file that was written to the disk for malicious activities.