This detection rule identifies instances where a suspicious child process is spawned from the Windows system process (PID 4). This activity could indicate code injection attempts by adversaries, aiming to discreetly execute unauthorized actions on a host. The rule is structured to flag any unexpected executables that originate from the critical System process while excluding known legitimate processes, such as 'smss.exe' and system maintenance tasks. Analysts are guided through investigating these child processes by reviewing their details against known malicious patterns, ensuring the legitimacy of the parent process, and examining related telemetry from security solutions. The detection rule leverages EQL (Event Query Language) to scan logs from various sources, including Windows Event Logs and Microsoft Defender, to ensure comprehensive coverage against potential threats.