Detects a potentially suspicious parent of "csc.exe", which could be a sign of payload delivery.
Detects potential LethalHTA technique where the "mshta.exe" is spawned by an "svchost.exe" process
Detects activity that could be related to Baby Shark malware
Detects a suspicious process spawning from an "mshta.exe" process, which could be indicative of a malicious HTA script execution
Detects remote thread creation from CACTUSTORCH as described in references.
Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism
Detects execution of the "mshta" utility with an argument containing the "http" keyword, which could indicate that an attacker is executing a remotely hosted malicious hta file
Detects a Mshta executing code from the registry