This rule detects instances where mshta.exe, a legitimate Microsoft application for executing HTML applications, has been renamed and executed. Attackers often rename this executable as a tactic to bypass security defenses and run malicious scripts. The detection leverages data from Endpoint Detection and Response (EDR) solutions, focusing on events where the original file name is mshta.exe but is not recognized as such due to renaming. The detection enables security teams to identify potentially malicious activities that could lead to system compromises, unauthorized data access, or lateral movement within networks. By analyzing Sysmon Event ID 1, Windows Security Event 4688, and CrowdStrike's ProcessRollup2 data sources, the detection validates anomalies in process executions that target the legitimate functionality of mshta.exe. Implementers must ensure their logs are appropriately configured and ingested into a SIEM platform, using the Splunk Common Information Model (CIM) to assist in normalizing the data.