This analytic rule is designed to detect potentially malicious activity associated with the CrushFTP service, specifically when the service process (crushftpservice.exe) spawns shell processes such as cmd.exe or powershell.exe. Such behavior is atypical for CrushFTP in normal operations, making it a strong indicator of exploitation attempts or compromised environments. The rule employs data from various sources including Sysmon and Windows Event Logs, focusing on process creation events to identify unauthorized spawning of shell processes. The detection specifically correlates with known vulnerabilities such as CVE-2025-31161, which may allow attackers to execute arbitrary commands with the same privileges as the CrushFTP service. Therefore, finding instances of this behavior could suggest significant security incidents requiring immediate attention. The implementation of this rule requires integration with EDR agents that provide necessary telemetry data and adherence to proper log ingestion practices for effective functionality of the detection logic.