Detects remote thread creation from CACTUSTORCH as described in references.
Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism
Detects a suspicious parent of csc.exe, which could by a sign of payload delivery
Detects a suspicious process spawning from an "mshta.exe" process, which could be indicative of a malicious HTA script execution
Detects potential LethalHTA technique where the "mshta.exe" is spwaned by an "svchost.exe" process
Detects execution of the "mshta" utility with an argument containing the "http" keyword, which could indicate that an attacker is executing a remotely hosted malicious hta file
Detects a Mshta executing code from the registry