This detection rule focuses on identifying potentially suspicious child processes that originate from the legitimate GoogleUpdate.exe executable on Windows systems. The rule employs process creation logging to examine the parent-child relationship of processes. Specifically, it selects child processes whose parent image ends with \GoogleUpdate.exe. To differentiate between legitimate and potentially malicious child processes, the rule implements filters based on known legitimate images, such as those containing \Google or those ending with specific installer names (setup.exe, chrome_updater.exe, chrome_installer.exe). If a child process meets the criteria of being launched by GoogleUpdate.exe but does not match any of the known legitimate filters, it is flagged as potentially suspicious. This approach helps minimize false positives by considering common legitimate child processes while still capturing potential abuse cases. The rule is categorized under high severity due to the potential risk of malicious activity masquerading as legitimate software updates, and is part of ongoing efforts to enhance security through proactive monitoring.