The rule "Suspicious PDF Reader Child Process" is designed to detect potentially malicious child processes spawned by legitimate PDF reader applications. PDF files are widely used in corporate settings, which may expose these applications to exploitation. This EQL rule examines Windows event logs looking for specific built-in utilities launched by processes associated with PDF readers such as Adobe Reader (AcroRd32.exe, Acrobat.exe) and Foxit Reader (FoxitPhantomPDF.exe, FoxitReader.exe). When these PDF reader processes spawn other potentially harmful executables, it raises concerns of exploitation or social engineering attacks. The rule not only identifies these instances but also delineates steps for triage, investigation, and incident response, emphasizing the importance of maintaining vigilance against credential exposure and subsequent lateral movement by potential threats.