This detection rule focuses on identifying abnormal behavior of the `mshta.exe` process by monitoring for unexpected child processes being spawned. `mshta.exe`, which is a legitimate Microsoft process used to execute HTA (HTML Application) files, can be misused by malicious actors for various purposes, including process injection, process hollowing, and other forms of evasion techniques. When `mshta.exe` launches processes like `powershell.exe`, `cmd.exe`, `rundll32.exe`, or script interpreters (`cscript.exe` or `wscript.exe`), it raises suspicion and potentially indicates that the process is being used as a proxy for executing malicious commands. The specificity of this detection rule leverages Sysmon event logs and applies regex filters to ensure the analysis captures only relevant parent and child processes. The collected data will be aggregated by the time and host to visualize potential compromises in real-time.