This anomaly rule detects Windows command-line tools (cmd.exe, powershell.exe, pwsh.exe) executed from the IIS installation directory (typically C:\Windows\System32\inetsrv). Such activity can indicate exploitation or post-exploitation activity targeting IIS-dependent applications (for example, Exchange) by using the web server host as a launcher for remote commands, script execution, or file operations. The rule uses endpoint telemetry from Sysmon Event ID 1 and CrowdStrike ProcessRollup2 and requires ingesting complete command-line data and process relationships, normalized to the Endpoint process data model. It flags cases where a process runs with a current directory inside inetsrv and has a parent process of cmd.exe, powershell.exe, or pwsh.exe, capturing key fields (process name, path, GUIDs, user, and parent process) to support investigation. The detection prioritizes suspicious execution in an IIS directory; however, occasional legitimate admin scripts or automation tasks may trigger the rule, so triage is advised before alerting.