This detection rule targets suspicious child processes executed in the context of Microsoft's SQL Server, identified by the parent process sqlservr.exe. It is particularly relevant in scenarios where SQL databases are compromised, potentially leading to SQL injection or remote code execution (RCE) attacks. The rule identifies commands that are commonly abused when malicious actors attempt to exploit SQL Server vulnerabilities, like executing shell commands or legitimate system utilities that could facilitate further exploitation or lateral movement within the network. Developed to monitor EDR logs, the rule captures process execution instances where the parent process is sqlservr.exe and the child process matches a list of suspicious executables. The association with the threat actor group FIN7 highlights the relevance of this rule in detecting sophisticated cyber intrusions targeting SQL environments. Overall, the detection strategy emphasizes the importance of monitoring interactions with SQL Server environments, given their criticality and potential as entry points for deeper network compromises.