This detection rule identifies suspicious instances where command-line tools like `ipconfig.exe`, `systeminfo.exe`, and others are executed by non-standard shell parent processes. Typical command-line environments such as CMD, PowerShell, or Explorer are excluded, focusing on potentially malicious behavior indicative of an attacker utilizing injected processes for system discovery. This behavior has been observed in threat actor activities, notably with FIN7's JSSLoader, suggesting that confirmed instances could indicate adversarial reconnaissance leading to further exploitation or lateral movement within a network. The detection leverages telemetry from Endpoint Detection and Response (EDR) solutions, capturing process creation events that warrant vigilant monitoring.