This detection rule is designed to identify the use of the Visual Basic Command Line Compiler (vbc.exe) in conjunction with the Windows Resource to Object Converter (cvtres.exe). It operates by monitoring process creation events to look for instances where these binaries are executed. Given the potential for these tools to be leveraged in attack scenarios, particularly for evading defenses and executing malicious payloads, any successful compilations are flagged for further investigation. The rule hinges on two conditions: the parent process must be vbc.exe, and the executed image must be cvtres.exe. This detection helps security professionals identify potentially unwanted or malicious behavior stemming from the use of these Windows utilities, aligning with the tactics outlined in ATT&CK framework T1027.004, which addresses code signing and defense evasion strategies. It is crucial to consider that the legitimate business use of these tools typically should not occur within a controlled enterprise environment, which is a key aspect of handling false positives.