This detection rule focuses on identifying suspicious child processes spawned by the legitimate utility BgInfo.exe. BgInfo is commonly used to display system information on the desktop, but its misuse can indicate potential adversarial behavior, particularly in scenarios involving persistence or lateral movement. The rule detects instances where BgInfo.exe, either its 32-bit or 64-bit version, is the parent process spawning shell or scripting interpreters like calc.exe, cmd.exe, cscript.exe, mshta.exe, notepad.exe, PowerShell, and WScript. Additionally, it looks for child processes originating from directories known for temporary files or user-specific application data, which can be a sign of malware or other unauthorized usage of the BgInfo binary. By monitoring these events, organizations can proactively identify and mitigate potential threats using this commonly misused application. This rule is categorized under process creation events and targets Windows operating systems, indicating a high alert level due to the potential severity of the detected activities.