This detection rule identifies suspicious usage of the 'appcmd' command-line tool for creating global URL rewrite rules within Internet Information Services (IIS) on Windows. The rule has been designed to catch potential malicious activities where attackers employ 'appcmd' to set up new rewrite rules to facilitate access to unauthorized webshells. The detection logic focuses on specific command line arguments, ensuring that the presence and execution of 'appcmd.exe' is flagged appropriately when used to manipulate URL rewrite configurations. By monitoring the process creation events for any command line that contains specific terms associated with creating or modifying global rewrite rules (such as 'set', 'config', and 'commit'), security teams can quickly assess potential threats and respond accordingly. Given its versatility, 'appcmd' is a legitimate tool; hence, special attention is needed to differentiate between valid administrative actions and potential exploitation attempts. The rule intends to reduce defenders' dwell time by highlighting significant actions that might otherwise go unnoticed in the usual activity logs.