This analytic has been deprecated and was designed to detect suspicious command-line activities where a command shell is invoked to fetch environment variables by a non-shell parent process, indicating potentially malicious behavior typically associated with malware like Qakbot. The logic is built on analyzing command execution patterns, especially those utilizing the 'cmd /c set' command, which is commonly used for gathering system information. The detection relies on telemetry data from Endpoint Detection and Response (EDR) solutions, such as Sysmon and Windows Event Logs, to monitor parent-child process relationships and command-line parameters. The detection raises alarms when a command is executed by non-shell processes like 'explorer.exe' or other legitimate system processes, which may suggest compromise of the parent process and potential escalation of privileges by an attacker. Understanding the nature of these command executions aids in identifying threats that leverage environment variable inspections to plan further attacks, persistence mechanisms, or data exfiltration.