This rule is designed to detect potentially malicious child processes spawned by the Windows Terminal application. It focuses on identifying any processes that are created by \WindowsTerminal.exe or \wt.exe (Windows Terminal executables) which could indicate unauthorized persistence mechanisms. The detection rule explicitly specifies certain suspicious process names such as rundll32.exe, regsvr32.exe, certutil.exe, cscript.exe, wscript.exe, and csc.exe as common tools used by attackers to execute malicious commands. Furthermore, it examines the command line arguments for known script patterns and checks for file paths that are typically used by attackers to execute scripts from user folders or temporary locations. The rule features filters to exclude benign use cases such as Visual Studio DevShell commands and regular Windows Terminal settings access, reducing false positives for legitimate uses of the terminal. The rule, authored by Nasreddine Bencherchali from Nextron Systems, emphasizes the need for careful monitoring of Windows Terminal activity as part of wider threat detection and response strategies.