This detection rule monitors for potentially suspicious execution patterns related to Microsoft Management Console (MMC), specifically targeting the execution of malicious .msc files. Threat actors are known to exploit MMC, utilizing it to trigger dangerous child processes through mmc.exe that could lead to unauthorized access and control over Windows systems. The logic centers on identifying child processes initiated by mmc.exe, which do not originate from standard Windows directories or legitimate application paths. The rule leverages Sysmon's extensive logging capabilities, making it essential for achieving high rule fidelity. Notably, it filters these processes to exclude any legitimate behavior linked to common system binaries and directory paths, focusing on identifying suspicious or anomalous executions. This analysis is crucial in combating techniques like 'system binary proxy execution' as listed under MITRE ATT&CK framework.