Enable (ASR) rules in Windows Defender to "Block all Office applications from creating child processes." Endpoint Monitoring
When a user opens a malicious .chm file, the embedded HTML/JavaScript can invoke these methods. While Microsoft added security warnings and restrictions over the years, multiple bypasses have been discovered. hh.exe exploit
Because hh.exe is trusted and signed, many application control solutions (AppLocker, WDAC) permit it by default. Attackers can: Enable (ASR) rules in Windows Defender to "Block
The hh.exe exploit has been around for several years, with the first reported instances dating back to 2006. Since then, various versions of the exploit have been discovered, each with its own unique characteristics and attack vectors. In 2019, a particularly concerning variant of the exploit was discovered, which allowed attackers to use the hh.exe file to bypass Windows Defender Advanced Threat Protection (ATP) and other security measures. Attackers can: The hh