The rule identifies potentially malicious processes spawned by the Windows Server Update Service (WSUS), which may indicate exploitation or the presence of a web shell backdoor. It leverages an EQL query to look for suspicious child processes like cmd.exe, powershell.exe, and rundll32.exe that are invoked by the WSUS service processes such as w3wp.exe or WsusService.exe. The rule functions by monitoring logs across various endpoints and system monitoring tools, including Elastic and Microsoft Defender for Endpoint. Upon triggering the rule, investigators are advised to examine child process details, the timeline of events, and network activity. Key investigation steps include assessing any unauthorized command-line activities, correlating alerts with other security events, isolating affected systems, and applying relevant remediation actions. The rule is classified as high severity, indicating significant risk, and is linked to multiple MITRE ATT&CK techniques under the tactics of Initial Access and Execution. Additional context around its relevance is provided through investigation guides, references, and links to official vulnerability details.