This detection rule identifies the execution of commands in Windows using the cmd.exe /c syntax, which is a common technique utilized by attackers to run commands in a hidden manner and subsequently close the command prompt. The rule leverages EDR logs to monitor recent process activities for suspicious command execution patterns that include the /c flag, which allows processes to execute transient commands without leaving detailed traces. By focusing on the last two hours of events in a Windows environment, the detection aims to capture any potentially malicious activity associated with threat actors like Mustang Panda and Volt Typhoon, as well as associated malware families such as DarkGate and Snatch. Effective use of this rule can aid security analysts in responding to incidents faster and pinpointing malicious activity in environments where cmd.exe is a common command execution interface. The rule is aligned with techniques T1059.003 (Windows Command Shell) as defined in the MITRE ATT&CK framework, and further corroborated by several atomic tests specific to detection of command execution patterns.