This detection rule identifies process executions initiated from removable media, particularly USB devices, on Windows systems, in conjunction with any network connection attempts made shortly after execution. The rule aims to capture potential malware activity where adversaries might exploit autorun features when inserting removable media into target systems, especially those that may be air-gapped or isolated. By focusing on processes that lack valid code signatures and correlating them with outbound network activity, the rule can highlight unauthorized access attempts and potential malicious behavior. The associated investigations should analyze details such as the device used, process execution paths, and network behaviors to ascertain the legitimacy of the activity. False positives may arise from legitimate software installations, warranting an exclusion mechanism for known trustworthy applications. The recommended response actions include isolating affected systems, scanning for malware, and investigating suspicious communications to ensure a comprehensive security posture.