Identifies unusual child processes initiated by the CrushFTP service, potentially signaling exploitation of remote code execution flaws like CVE-2025-31161, which allows RCE via crafted HTTP requests. The detection targets frequently misused Windows executables (e.g., powershell.exe, cmd.exe) often leveraged by attackers for executing malicious commands after gaining access....