Another variation uses the mk:@MSITStore protocol: hh.exe mk:@MSITStore:C:\path\to\file.chm::/index.htm
Security teams monitor for suspicious behaviors involving this process: System Binary Proxy Execution: Compiled HTML File hh.exe exploit
Defenders should prioritize via GPO and monitoring hh.exe process behavior. For most modern enterprises, blocking .chm attachments at the mail gateway and restricting hh.exe to only trusted paths is sufficient. Another variation uses the mk:@MSITStore protocol: hh
You might ask: "Why hasn't Microsoft killed hh.exe ?" hh.exe exploit
Favourite added temporarily. To add it to your profile, you will need to sign in.