This detection rule identifies uncommon child processes spawned by 'BgInfo.exe', a legitimate Windows utility used for displaying system information on the desktop. However, its misuse as a means for attackers to execute payloads via external VBScript can pose significant security risks. The rule utilizes process creation logs from Windows systems to monitor for any unexpected or unusual child processes that could indicate malicious activity. By focusing on processes that are initiated with 'BgInfo.exe' as a parent, the detection aims to catch potentially unauthorized usage indicative of attack techniques such as execution through scripting and defense evasion. The presence of known deceptive behaviors associated with 'BgInfo.exe' makes the detection even more critical in a Windows environment, particularly against the backdrop of increased sophistication in threats. Implementation of this rule could aid security teams in identifying post-exploitation scenarios where attackers leverage trusted binaries to further their objectives.