This detection rule identifies instances where the hh.exe process (HTML Help executable) spawns other processes that could potentially indicate malicious activity. Adversaries may exploit Compiled HTML files (.chm) to embed harmful payloads and execute them through user actions. The rule particularly focuses on detecting child processes that could be used for exploitation, such as command line utilities like cmd.exe, PowerShell, or others that are typically used to execute malicious tasks. The logic utilizes Splunk to filter endpoint data from Sysmon by checking for specific event codes and process names related to hh.exe. By capturing instances where hh.exe serves as the parent process for any of the specified child processes, the rule helps to highlight potentially suspicious behavior. The targeting of tools often used in attacks reflects a broader concern over defense evasion techniques employed by threat actors. The threat actor APT-K-47 (Mysterious Elephant) is associated with this technique, emphasizing the relevance of monitoring such activities for maintaining security. This rule is linked to the MITRE ATT&CK technique ID T1218.001, which relates to the execution of compiled HTML files for nefarious purposes.