This detection rule focuses on identifying potentially malicious activity related to the execution of the MSHTA utility on Windows systems. The particular behavior under scrutiny is the execution of MSHTA with command-line arguments that include URLs, specifically those beginning with 'http://', 'https://', or 'ftp://'. Such behavior is indicative of attempting to run remotely hosted HTML Application (HTA) files, which can be a vector for malware delivery or execution. Attackers may utilize HTA files due to their ability to execute scripts and commands without triggering security protocols typically applied to executable files. The rule captures this by monitoring process creation events where the command line of the MSHTA process contains these URL indicators. A high severity level has been assigned to this detection due to the potential seriousness of threats associated with executing remote HTA files, including ransomware and other forms of malware.