This rule detects suspicious child processes spawned by Windows shell and scripting environments, particularly those related to admin scripts that might be abused by attackers. The rule targets processes that have a common parent process associated with Windows shell scripting, like mshta.exe, powershell.exe, and rundll32.exe, and checks if any potential malicious process, such as schtasks.exe or certutil.exe, is being executed as a child process. The detection utilizes multiple filters to refine the detection, excluding known legitimate administrative behaviors involving Microsoft SCCM and other trusted scripts. Specifically, it checks various properties of processes such as CommandLine, ParentCommandLine, and the image names to identify behavior that diverges from normal administrative activity. A focus is placed on potential malicious command lines or process environments that suggest exploitation attempts within a Windows environment, contributing to identifying threats targeting Windows systems via scripting.