This rule identifies potentially malicious behavior associated with the Serv-U File Transfer Protocol (FTP) server software by monitoring process creation events on Windows systems. The detection logic looks for child processes initiated by the Serv-U process (Serv-U.exe), especially focusing on common scripting or command-line utilities that could be misused for credential access or malicious activity. Given that Serv-U has been subjected to 0-day exploits, this rule aims to catch abnormal patterns indicative of exploitation or unauthorized command execution, flagging processes like cmd.exe, powershell.exe, and others that should not normally be spawned by the Serv-U service.