This detection rule monitors for suspicious process creation events on Windows systems specifically involving the execution of certain trusted utilities (schtasks.exe, systeminfo.exe, and fltmc.exe) via stordiag.exe. The aim of this rule is to identify potential malicious behaviors where stordiag.exe is being used to spawn these subsequent processes, which could indicate an attempt to evade detection during an attack. Notably, stordiag.exe is not a common process for launching these system utilities, making this a suspicious activity. The rule filters executions where the parent process is stordiag.exe, while ensuring that the parent originates from typical Windows system directories. The logic implemented in the rule is crafted to improve detection accuracy and minimize false positives by delineating legitimate use cases from malicious intent.