This detection rule is aimed at identifying potentially malicious instances where the Internet Information Services (IIS) Worker Process (w3wp.exe) is spawned alongside command-line utilities such as cmd.exe or PowerShell. Given that w3wp.exe executes web-facing applications, threat actors may leverage it to evade detection while executing unauthorized commands or scripts. This rule utilizes Splunk's query language to parse EDR logs and identify scenarios where w3wp.exe is the parent process of command execution, indicating possible exploitation or misuse. Additionally, it tracks instances where multiple process names occur in a specific timeframe, allowing for the detection of anomalous behaviors indicative of malicious activities.