From 059cfbf15aad8aaf7dfdffd3f4d214b591bb14b6 Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@bsk-consulting.de>
Date: Thu, 13 Apr 2017 01:21:46 +0200
Subject: [PATCH] Removed duplicate

---
 rules/windows/sysmon/sysmon_susp_mshta.yml | 17 -----------------
 1 file changed, 17 deletions(-)
 delete mode 100644 rules/windows/sysmon/sysmon_susp_mshta.yml

diff --git a/rules/windows/sysmon/sysmon_susp_mshta.yml b/rules/windows/sysmon/sysmon_susp_mshta.yml
deleted file mode 100644
index b57486795..000000000
--- a/rules/windows/sysmon/sysmon_susp_mshta.yml
+++ /dev/null
@@ -1,17 +0,0 @@
-title: Suspicious MSHTA Child
-status: experimental
-description: Detects a Microsoft HTML Application Host execution a suspicious child process
-reference: https://twitter.com/wdormann/status/851615583099650049
-author: Florian Roth
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 1
-        ParentImage: '*\mshta.exe'
-    condition: selection
-falsepositives:
-    - unknown
-level: high
-