This detection rule identifies the mshta.exe process making a network connection, which could signal potential adversarial actions. The mshta.exe application is commonly exploited by attackers to run malicious scripts while circumventing traditional detection mechanisms. The rule employs an EQL query that establishes a sequence filter, first inspecting for the initiation of the mshta.exe process and subsequently monitoring for any network activity associated with this process. The identified risk score for this behavior is medium (47), indicating a moderate level of threat. As part of the MITRE ATT&CK framework, it is associated with the technique 'Signed Binary Proxy Execution' (T1218), specifically subtechnique 'Mshta' (T1218.005), which outlines how this method can be used for evading defenses. As of the metadata provided, this rule is marked as deprecated since October 30, 2020, and should be used with caution.