This detection rule aims to identify unusual child processes spawned by the Service Host (svchost.exe) on Windows environments, which may indicate malicious activity, such as process injection. Adversaries often utilize code injection to evade detection by running payloads in the address space of legitimate processes, thus masking their activities. Typically, svchost.exe is responsible for managing multiple Windows services, and its expected behavior does not usually include spawning unusual child processes. The rule specifically targets scenarios where svchost.exe spawns child processes that are not commonly associated with its normal operation. These might be indicative of an adversary injecting code into svchost to execute malicious actions under the guise of a legitimate process. The rule utilizes Sysmon logs to check for specific Event IDs related to process creation, filtering for legitimate services that should not be spawned as child processes under svchost. Additionally, this detection is linked to the Lazarus threat actor group, known for employing sophisticated techniques for process injection.