This analytic rule detects potential lateral movement in a network by identifying the spawning of PowerShell processes from commonly abused parent processes such as services.exe, wmiprvse.exe, svchost.exe, wsmprovhost.exe, and mmc.exe. These parent processes are frequently exploited by attackers to execute malicious scripts or commands remotely on other systems. The detection leverages data from Endpoint Detection and Response (EDR) systems by monitoring both process activity and command-line arguments. Instances of PowerShell being launched from these processes may signify attempts at privilege escalation, maintaining persistence, or executing lateral movement tactics, which are all indicative of advanced threat behavior. The collected logs must include specific event IDs that detail process creation, providing security teams an opportunity to investigate suspicious behavior promptly.