This detection rule is designed to identify the execution of `hh.exe`, a process associated with Compiled HTML (.chm) files, which adversaries exploit to conceal malicious payloads. These files are commonly used in the Microsoft HTML Help system and can be delivered to victims for exploitation through user execution. The rule leverages Windows event logs to detect instances where `hh.exe` is executed, paying attention to both the direct invocation of the process and associated parent processes. The logic implemented uses Splunk to filter and present relevant process data based on predefined criteria, specifically looking for the event code 4688, which indicates a new process creation. The rule is linked to known threat actors such as APT-K-47, Gamaredon, and Kimsuky, highlighting the malicious use of CHM files in evasion techniques, specifically under system binary proxy execution. This detection is significant in the context of threat intelligence and proactive defense strategies against such techniques.