This detection rule identifies the execution of the decompile parameter in the HTML Help application (HH.exe) through endpoint telemetry, specifically utilizing Sysmon and Windows Event Logs. The use of this command is notable for its association with APT41 campaigns, where it has been used to extract and manipulate HTML help files for conducting subsequent malicious operations. By monitoring command line activities, this rule aims to flag unusual use of the decompile parameter, which can lead to arbitrary command execution and system compromise if deemed malicious. The implementation requires ingestion of logs from EDR agents that capture complete command-line executions and process details. Multiple references and related MITRE ATT&CK techniques are provided to support context and investigation.