This detection rule aims to identify potentially malicious activity involving Python scripts that utilize the 'pty' module to spawn pseudo-terminal sessions on Windows systems. The 'pty' module can be leveraged by attackers to gain elevated access or obfuscate command execution in a more interactive shell environment, particularly when calling functions like 'spawn'. The rule captures process creation events specifically looking for Python executables (e.g., python.exe, python3.exe, python2.exe) launching commands indicative of pseudo-terminal manipulation. The triggering conditions require that the image name ends with specified Python executables and at least one of the command line selections reflects the importation and usage of the 'pty' module. Such behavior is suspicious and correlates with known exploitation techniques used by threat actors to maintain persistence or execute commands under the radar.