diff --git a/rules/windows/sysmon/sysmon_office_shell.yml b/rules/windows/sysmon/sysmon_office_shell.yml
index 5150f39a2..838bb5543 100644
--- a/rules/windows/sysmon/sysmon_office_shell.yml
+++ b/rules/windows/sysmon/sysmon_office_shell.yml
@@ -1,4 +1,4 @@
-title: Microsoft Office Product Spawning Windows  Shell
+title: Microsoft Office Product Spawning Windows Shell
 status: experimental
 description: Detects a Windows command line executable started from Microsoft Word, Excel, Powerpoint, Publisher and Visio.
 reference: https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100
diff --git a/rules/windows/sysmon/sysmon_susp_mshta.yml b/rules/windows/sysmon/sysmon_susp_mshta.yml
new file mode 100644
index 000000000..b57486795
--- /dev/null
+++ b/rules/windows/sysmon/sysmon_susp_mshta.yml
@@ -0,0 +1,17 @@
+title: Suspicious MSHTA Child
+status: experimental
+description: Detects a Microsoft HTML Application Host execution a suspicious child process
+reference: https://twitter.com/wdormann/status/851615583099650049
+author: Florian Roth
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+        ParentImage: '*\mshta.exe'
+    condition: selection
+falsepositives:
+    - unknown
+level: high
+