This detection rule aims to identify the execution of files with suspicious double extensions through the ParentCommandLine in Windows process creation events. These types of file extensions, which typically involve a legitimate file type (such as .doc or .xls) followed by a misleading extension (like .lnk or .js), are often used in cyberattacks to bypass security measures and execute malicious payloads. The rule is triggered if the ParentImage of a process ends with specified suspicious extensions or if the ParentCommandLine contains such extensions. The detection is classified as high severity due to the potential risk associated with double-extension file execution, which can lead to malware infections or data breaches. This rule is relevant for environments seeking to bolster their defense against execution tactics commonly used in phishing and malware delivery attempts. Leveraging references from VirusTotal and security blogs helps illustrate the behavior associated with these attacks, emphasizing the importance of monitoring and responding to such threats.