This detection rule identifies potentially malicious network connections initiated by the Windows HTML Help executable (hh.exe), typically triggered when a user opens a Compiled HTML (CHM) file. CHM files can embed scripts and executables, allowing attackers to deliver malicious payloads disguised as help documentation. By monitoring for network activity initiated by hh.exe, this rule aims to surface suspicious behavior that may indicate exploitation or malware distribution. The rule leverages Elastic's query language (EQL) to sequence process creation events and accompanying network traffic to determine if any outbound connections occurred that are not local or recognized within the private networks. The investigation guide emphasizes reviewing associated alerts, analyzing process execution chains, and checking DNS caches to further identify malicious activity. The rule is tailored for Windows environments, particularly focusing on threats related to user execution and system binary proxy execution conducted via Compiled HTML files.