This detection rule identifies script execution via Microsoft HTML applications (HTAs) leveraging Windows utilities such as `rundll32.exe` and `mshta.exe`. Adversaries may exploit these processes to bypass security measures, executing malicious scripts under the guise of legitimate operations. The rule monitors for specific command line patterns that suggest nefarious activity, including use of script commands like *eval*, *GetObject*, and *WScript.Shell*. Furthermore, it checks for execution anomalies, such as HTAs originating from known download locations or temporary directories. It also enforces checks against known benign parent processes to reduce false positives from legitimate software executions.