This rule identifies potentially malicious use of the 'netsh.exe' command-line utility, which can manipulate network settings on a Windows system. It specifically searches for processes created by 'netsh.exe' that launch various commands through the command line. 'netsh.exe' can be exploited as a persistence technique, often leveraging a helper .dll file when executed. The search query utilizes data from Sysmon EventID 1, focusing on instances where 'netsh.exe' is the parent and detailing the process information including user, destination, and parent process information. The rule is deprecated due to the existence of a more effective detection, but it serves as a reminder of the risks associated with 'netsh.exe' being used in atypical environments. Any unusual child processes spawned by 'netsh.exe' should be thoroughly investigated, with a noted exception for the legitimate 'sedlauncher.exe' from Microsoft.