This detection rule identifies suspicious child processes spawned by the Microsoft HTML Help application (HH.exe). Cyber actors often exploit HH.exe to execute malicious activities, including the deployment of banking trojans and other malware. The rule triggers on the creation of child processes that are initiated by HH.exe and match specific executable names known for being utilized in attack scenarios (such as CertUtil.exe, Powershell.exe, and CMD.exe). Given the nature of the threat, the rule is categorized as high severity and is designed to improve detection capabilities against potential abuse of the HH.exe executable for malicious intent. The records captured by this rule can aid in recognizing intrusion attempts or malware infections related to HTML Help exploitation, thereby bolstering endpoint security measures. It is essential for security teams to monitor alerts generated by this rule closely and investigate potential malicious activities.