This detection rule identifies instances where Mshta.exe is spawning suspicious child processes, indicative of potential adversarial activity. Mshta.exe is a legitimate Windows utility designed for running Microsoft HTML Applications (HTA files), which attackers often exploit to evade detection and execute malicious scripts. The rule utilizes an EQL query that monitors process activities, particularly focusing on scenarios where Mshta.exe acts as a parent process to commonly misused executables such as cmd.exe or powershell.exe. By analyzing the process invocation and the command-line arguments of Mshta.exe, the rule helps to uncover unauthorized network connections that might suggest the presence of a malicious payload. The potential false positives from legitimate software updates are addressed through exceptions for known benign parent processes and specific executable paths. The rule's maturity level is marked as production, providing a robust defense layer against this emerging threat.