This detection rule identifies suspicious behavior related to the execution of the Windows shutdown command, specifically focusing on instances where the shutdown command is employed to log off users. The shutdown command, a common administrative tool, can be used legitimately for system management, including shutting down or restarting a system. However, its use for logging off users is atypical and may indicate malicious behavior, such as an attacker attempting to terminate user sessions or disrupt operations. The rule triggers on process creation events where the command line indicates the use of shutdown.exe with the '/l' parameter, which is the command's flag for logging off a user. Monitoring such usage helps in identifying unauthorized access or activities that may lead to data breaches or service interruptions.