From 52d405bb1bc516a1dad3aad997efdc7688de03bb Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@bsk-consulting.de>
Date: Wed, 11 Apr 2018 20:09:28 +0200
Subject: [PATCH] Improved shell spawning rule

---
 rules/windows/sysmon/sysmon_shell_spawn_susp_program.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/rules/windows/sysmon/sysmon_shell_spawn_susp_program.yml b/rules/windows/sysmon/sysmon_shell_spawn_susp_program.yml
index 20a5fab3d..72d305b63 100644
--- a/rules/windows/sysmon/sysmon_shell_spawn_susp_program.yml
+++ b/rules/windows/sysmon/sysmon_shell_spawn_susp_program.yml
@@ -24,6 +24,7 @@ detection:
             - '*\nslookup.exe'
             - '*\certutil.exe'
             - '*\bitsadmin.exe'
+            - '*\mshta.exe'
     condition: selection
 fields:
     - CommandLine