The 'Unusual AppCert Child Process' detection rule identifies potentially malicious behavior involving the Windows Application Certification Kit utility, appcert.exe. This command-line tool is typically legitimate and used for verifying application compliance with Microsoft's standards. However, threat actors may exploit it to execute malicious code by launching child processes that deviate from predefined safe paths. The detection is implemented in Splunk using Sysmon data to monitor instances where appcert.exe spawns child processes outside of the known good directory locations: 'C:\Program Files\Windows Kits\10\App Certification Kit\' and 'C:\Program Files (x86)\Windows Kits\10\App Certification Kit\'. The rule employs regex filtering to check the parent process name and the path of the executing process. If a child process is created outside of the allowed paths, it indicates a potential use of appcert.exe for 'Living Off the Land' (LOL) attacks, where attackers utilize existing tools on a system to evade detection.