This detection rule monitors the execution of the Windows shutdown command through the command line interface, leveraging data obtained from Endpoint Detection and Response (EDR) agents. The rule specifically targets the process names and command-line arguments associated with `shutdown.exe`. The execution of this command can be a significant indicator of malicious activity, as attackers might utilize it to erase tracks of their actions, cause system disruption, or ensure that changes mandated by backdoor installations take effect. Should these shutdown commands be deemed malicious, they could subsequently lead to operational downtime, denial of service incidents, or may facilitate evasion of security mechanisms, thereby weakening the network's security posture. The rule employs Sysmon and Windows Event Log data to track such behavior, making it easier for analysts to identify potentially harmful instances of command-line shutdown executions.