This analytic rule is designed to detect potentially malicious execution of hh.exe (HTML Help) utilizing InfoTech Storage Handlers to load Windows script code from Compiled HTML Help (CHM) files. By leveraging data collected from Endpoint Detection and Response (EDR) agents, it focuses on the analysis of process names and command-line executions. The significance of this detection emerges from the capability of CHM files to execute embedded scripts, which could lead to arbitrary code execution, privilege escalation, or unauthorized persistence within a target environment. Detection relies on specific data sources such as Sysmon EventID 1 and Windows Event Log Security 4688, ensuring that comprehensive telemetry surrounding the process is recorded. Implementing this rule requires proper ingestion and mapping of EDR data to the `Processes` node of the Endpoint data model, alongside normalization using the Splunk CIM.