This detection rule identifies potential malicious activity involving the execution of the Equation Editor application (EQNEDT32.EXE), which is often exploited in specific CVEs related to Microsoft Office vulnerabilities, specifically CVE-2017-11882 and CVE-2018-0798. These vulnerabilities allow the execution of arbitrary code via crafted files, primarily targeting users who open malicious documents. The rule utilizes data from Windows Sysmon logs to detect instances where EQNEDT32.EXE is executed and checks the context of the parent process to determine if it correlates with known malicious activities associated with Advanced Persistent Threats (APTs) such as Bitter APT and others. By leveraging Splunk's capabilities, the detection aggregates and organizes the data to provide visibility into potentially exploitative actions occurring within a user session.