This rule detects potentially suspicious child processes spawned by ClickOnce deployment applications on Windows. ClickOnce is a deployment technology that allows users to install and run Windows-based applications with minimal user interaction. However, its design can be exploited by attackers to execute malicious code under trusted execution contexts. The rule specifically looks for processes initiated from known directories related to ClickOnce apps, filtering for child processes that exhibit unusual or unexpected behaviors. The detection logic is based on identifying parent processes located in the user-specific AppData\\Local\Apps\2.0\ directory and monitoring for execution of a specified set of executable files that could indicate potentially malicious activity. The detected child processes align with common techniques used in both attack execution and evasion. This helps analysts and security systems discern potential misuse of benign application installation mechanisms to deliver attacks.