diff --git a/rules/windows/sysmon/sysmon_mshta_spawn_shell.yml b/rules/windows/sysmon/sysmon_mshta_spawn_shell.yml
new file mode 100644
index 00000000..aa83953d
--- /dev/null
+++ b/rules/windows/sysmon/sysmon_mshta_spawn_shell.yml
@@ -0,0 +1,23 @@
+title: MSHTA Spawning Windows  Shell
+status: experimental
+description: Detects a Windows command line executable started from MSHTA.
+reference: https://www.trustedsec.com/july-2015/malicious-htas/
+author: Michael Haag
+logsource:
+    product: sysmon
+detection:
+    selection:
+        EventID: 1
+        ParentImage:
+            - '*\mshta.exe'
+        Image:
+            - '*\cmd.exe'
+            - '*\powershell.exe'
+            - '*\wscript.exe'
+            - '*\cscript.exe'
+            - '*\sh.exe'
+            - '*\bash.exe'
+    condition: selection
+falsepositives:
+    - Minimal FPs.
+level: high