This detection rule is designed to identify instances where command output is redirected to localhost, a behavior commonly associated with post-exploitation activities, particularly by threat actors like Mustang Panda. The rule leverages Windows event logs relevant to process creation (EventCode 4688) and network share access (EventCode 5145) to track when a command via cmd.exe or similar executables is executed with output directed to the local loopback address (127.0.0.1). It uses regex to extract the network share name involved in command execution and aggregates the relevant data points to summarize potential malicious activities on the endpoint. The detection employs statistical evaluation over a 1-second window to ensure any relevant artifacts are caught in near real-time, providing security teams with actionable insights into suspicious internal network activities that could signify exploitation attempts.