This detection rule identifies the spawning of the `mshta.exe` process by `wmiprvse.exe` or `svchost.exe` on Windows endpoints. This behavior is flagged via Endpoint Detection and Response (EDR) data, particularly focusing on process creation events. `mshta.exe`, which is often used to execute HTML applications, can be leveraged by attackers to run malicious scripts, indicating a low-level access technique that can lead to larger compromises. If the spawning of `mshta.exe` is confirmed to be malicious, it may allow attackers to run arbitrary code and gain further access to the system. The rule uses a combination of Sysmon events and Windows Security logs to detect the anomalous parent-child process relationship, which is a red flag for potential exploitation. The detection is critical for monitoring and preventing advanced attacks that employ living-off-the-land (LotL) techniques, such as those rooted within the MITRE ATT&CK framework.