This detection rule focuses on identifying potentially suspicious child processes that are spawned by the ScreenConnect client service on Windows. ScreenConnect, also known as ConnectWise Control, is a remote access tool that can be exploited for malicious purposes, particularly if used without the knowledge of the system owner. The rule monitors process creation events to check for specific parent command line patterns and certain executable names associated with remote command execution. By detecting these patterns, the rule aims to mitigate risks from unauthorized remote access and command execution scenarios that could indicate possible abuse of the ScreenConnect software for espionage or malicious activities. The detection criteria include checking if the parent process command line contains certain paths indicative of ScreenConnect activity and if the child process image names match a predefined list of executables commonly used in remote commands.