The Windows Command Shell DCRat ForkBomb Payload detection rule identifies the execution of a DCRat forkbomb attack on Windows systems. This malicious activity involves spawning numerous cmd.exe processes which then rapidly initiate instances of notepad.exe, indicating infection by a Remote Access Trojan (RAT). The detection is accomplished by analyzing Endpoint Detection and Response (EDR) telemetry, specifically looking for the rapid generation of cmd.exe and notepad.exe processes within a short time frame—30 seconds. Such behavior is significant as it can lead to serious system instability and resource exhaustion, disrupting services. The detection leverages Sysmon and Windows Event logs to track created processes and their hierarchy, alerting security teams to potential threats accurately.