diff --git a/rules/windows/sysmon/sysmon_shell_spawn_susp_program.yml b/rules/windows/sysmon/sysmon_shell_spawn_susp_program.yml
index 20a5fab3d..72d305b63 100644
--- a/rules/windows/sysmon/sysmon_shell_spawn_susp_program.yml
+++ b/rules/windows/sysmon/sysmon_shell_spawn_susp_program.yml
@@ -24,6 +24,7 @@ detection:
             - '*\nslookup.exe'
             - '*\certutil.exe'
             - '*\bitsadmin.exe'
+            - '*\mshta.exe'
     condition: selection
 fields:
     - CommandLine