This detection rule identifies suspicious child processes spawned by ScreenConnect client processes, which is a remote access tool. Malicious actors can potentially exploit ScreenConnect to execute unauthorized commands, using processes like PowerShell to perform harmful actions. The rule triggers on the creation of processes by any of the specified ScreenConnect client executables, analyzing their arguments to identify scenarios indicative of abuse. It searches for abnormal activity, looking for patterns in the process execution, such as encoded PowerShell commands or suspicious command-line usage with utilities like cmd.exe and schtasks.exe. Security analysts are encouraged to verify the legitimacy of these processes and conduct a thorough investigation to determine if unauthorized actions are being performed under the guise of legitimate remote access software usage.