You will use the MITRE ATT&CK framework located at Mitre Att&Ck$$ to answer this question.

Adversaries may abuse technology such as Compiled HTML files $(.$chm$)$ to conceal malicious code. A custom CHM file containing embedded payloads could be delivered to a victim as an email attachment and the then triggered by User Execution. CHM execution may also bypass application whitelisting on older and$/$or unpatched systems that do not account for execution of binaries through hh$.$exe. From the list, select all those methods you could use to detect this behavior.

Question $2$ options:

Monitor for execution of AppleScript through osascript that may be related to other suspicious behavior occurring on the system

Monitor and analyze the execution and arguments of hh$.$exe

Monitor presence and use of CHM files, especially if they are not typically used within an environment

Compare recent invocations of hh$.$exe with prior history of known good arguments to determine anomalous and potentially adversarial activity $($ex: obfuscated and$/$or malicious commands$)$