This detection rule identifies the creation of remote threads in command shell applications such as CMD.EXE, POWERSHELL.EXE, and PWASH.EXE. Remote thread creation is commonly exploited by malware for code injection and execution within legitimate processes, particularly in campaigns exemplified by threats such as IcedID. By monitoring for processes that attempt to create threads in these shell applications, organizations can detect and potentially mitigate malicious behavior indicative of attacks focused on evading defenses through process tampering. The rule's logic specifies that the detected target images must end with the specified shell application names, and appears noted as having a medium alert level, indicating a significant potential threat. False positives have been categorized as unknown, implying that the detection may trigger in some benign scenarios but lacks a clearly defined list. The rule is marked as experimental and is part of a larger effort to bolster endpoint security by leveraging threat research insights.