This detection rule aims to identify potentially malicious child processes spawned from Microsoft Office applications, particularly in relation to the RomCom threat actor associated with a newly discovered vulnerability (CVE-2023-36884). The logic incorporates event logging from Windows to monitor for specific event codes (4688) indicating process creation. The conditions focus on instances where common execution invocations such as powershell.exe, cmd.exe, and other scripting hosts are initiated by Office applications. Furthermore, regex patterns are utilized to match the parent process paths of newly spawned processes, ensuring that only those originating from Microsoft Office applications trigger alerts. The data generated provides a structured view of the event, including timestamps, host, user, and associated process information, aiding in the analysis of any potential malicious activities related to Office software. The primary execution technique related to this rule includes malicious file execution by users, classified under the MITRE ATT&CK framework technique T1204.002.