The rule 'Suspicious SysAidServer Child' is designed to detect potentially malicious child processes spawned by the SysAidServer executable, particularly in the context of intrusions conducted by the MERCURY threat actor. The rule specifically targets cases where child processes are initiated by instances of 'java.exe' or 'javaw.exe', with the condition that their command line must include 'SysAidServer'. Given that the MERCURY group has been known to exploit Java vulnerabilities to compromise systems, this detection rule is crucial for monitoring unexpected or unauthorized process creation related to SysAidServer. The detection relies on the Windows process creation logs, aligning with the tactics used in lateral movement techniques as outlined in cybersecurity frameworks. The rule is currently in a test status and aims for a medium severity level, indicating a moderate threat level that requires further investigation if triggered. References to related threat intelligence enhance contextual understanding of its relevance in real-world scenarios.