This detection rule identifies potentially malicious activity on Windows web servers by monitoring for the creation of suspicious child processes like `cmd.exe`, `powershell.exe`, or `bash.exe` from known web server processes such as `w3wp.exe` (IIS) and `nginx.exe`. This behavior often signifies an exploitation attempt, such as the installation of a web shell, granting attackers the ability to execute arbitrary commands and maintain persistent access to the system, potentially leading to privilege escalation and data exfiltration. The rule utilizes logs from Sysmon and Windows Event Log Security to capture the relevant process spawning events and correlates them to known parent processes linked with web server activity. To ensure effectiveness, this rule should be implemented in conjunction with baseline filtering to reduce false positives from legitimate administrative activities or vendor applications.