This detection rule is designed to identify potential arbitrary command execution that may occur through the use of the `ftp.exe` executable on Windows systems. When `ftp.exe` runs with the `-s` or `/s` flag, it indicates that a script will be executed. This could lead to unintentional or malicious actions depending on the contents of the script. The rule will trigger upon detecting the execution of `ftp.exe` while also monitoring any child processes spawned by it. The rule employs selection criteria that checks both the parent process (`ftp.exe`) and any engagements with its child processes along with the command line parameters to ensure malicious activity is flagged appropriately. This detection mechanism is particularly relevant for threat actors who use FTP commands to execute unintended scripts as part of their attack strategies.