From Hard_Configurator Tools
- Dec 23, 2014
The LOLBin hh.exe is a default utility to open CHM files that can include scripts. The cons are that some applications use CHM for a help file - that is why it is not active in my script. The classic SRP has the advantage over Applocker (and WDAC) of selectively blocking CHM files in UserSpace.@Andy Ful
Blocking hh.exe to start other sponsors should minimize the options to misuse hh.exe as lolbin (or is that a wrong assumption?). Could this also be achieved by adding MD Exploit protection for hh.exe (e.g; only allow signed Microsoft DLL's and Block starting other programs).
MD Exploit Protection can block hh.exe, too. But, this block will not work after copying hh.exe to another location and renaming it.