This analytic rule detects the execution of `hh.exe` (HTML Help), particularly focusing on instances where it spawns a child process. The observation of this behavior is important as it signifies potential exploitation of Compiled HTML Help (.chm) files to run malicious Windows scripts. `hh.exe` is often misused by attackers to circumvent security measures and execute harmful code within the victim's environment. This detection utilizes telemetry from Endpoint Detection and Response (EDR) tools to monitor process creation events, specifically looking for instances where `hh.exe` is the parent process leading to the initiation of other processes. If identified, this behavior warrants immediate investigation as it could represent an advanced persistent threat (APT) or malware activity. The rule leverages data sources such as Sysmon EventID 1, Windows Event Log Security 4688, and CrowdStrike ProcessRollup2 to gather relevant process creation logs for analysis.