This rule aims to detect unusual processes on Windows endpoints that connect to domains associated with free SSL certificate providers like Let's Encrypt and ZeroSSL. Attackers may use these SSL certificates to mask their command and control (C2) traffic. The rule checks for DNS queries made by processes that fit typical Windows executable paths, identifying potentially malicious behavior while excluding common legitimate processes known to use these certificates. It emphasizes monitoring network activity that may exhibit anomalous behaviors indicative of C2 actions and provides guidance for investigation and response, focusing on validating the legitimacy of detected processes and their associated network activity.