This rule is designed to detect any unusual child processes that spawn from the dns.exe process on Windows systems, which may indicate malicious activity such as remote code execution or exploitation attempts. Given the significance of the dns.exe process in resolving DNS queries, any unexpected child processes could be indicative of threats similar to those exploited in CVE-2020-1350, known as SigRed. The detection logic specifies that alerts should trigger when a process with a parent image of dns.exe spawns a child process that is not conhost.exe. The rule retains a high severity level due to the potential risks associated with these behaviors, complying with the initial access tactics identified in the MITRE ATT&CK framework.