This detection rule aims to identify indirect command executions facilitated by the Program Compatibility Assistant (PCA) on Windows systems, specifically through the use of the 'pcwrun.exe' process. The PCA is primarily designed to help older applications run on newer versions of Windows, but it can be exploited by malicious actors to execute commands indirectly. This rule monitors process creation events, capturing instances where 'pcwrun.exe' is the parent process of another spawned command line operation. Key fields for analysis include 'ComputerName', 'User', 'ParentCommandLine', and 'CommandLine'. The detection is crafted to trigger when a process is initiated by 'pcwrun.exe', which is critical in leveraging this technique for either legitimate compatibility purposes or for evasion tactics by adversaries. To enhance detection and reduce noise from legitimate use, analysts are advised to implement additional filtering or unique count methods to focus on outlier behavior rather than common occurrences.