This detection rule identifies instances where the MSHTA (Microsoft HTML Application Host) executable is making outbound network connections, which is often a signal of adversarial activity. Mshta.exe is a legitimate Windows utility that can be exploited by attackers to execute malicious scripts while evading detection. This rule uses an EQL sequence query to monitor for such activity. It filters out benign executions of mshta.exe by excluding specific parent processes and command-line arguments that are known to be safe. The rule has a medium risk score, indicating that while the activity may not be immediately catastrophic, it warrants attention due to its potential use in evading security measures. Investigation steps include reviewing process trees, analyzing command line arguments, and examining network connections associated with mshta.exe to identify any anomalous behavior that may require remediation.