This rule is designed to detect instances where Notepad.exe is executed without any command-line arguments, a behavior that can indicate potential misuse by malicious actors, particularly those utilizing the SliverC2 framework. Utilizing data from various sources, including Sysmon EventID 1 and Windows Event Logs, the rule focuses on process creation events that show Notepad activity in a short time. Such executions can signify attempts to inject malicious code, as attackers often exploit legitimate applications to bypass traditional security measures. If such behaviors are confirmed to be malicious, they can lead to arbitrary code execution and unauthorized access to the system. The detection is further enhanced by leveraging EDR telemetry to track Notepad processes closely and correlate them with known tactics and behaviors associated with advanced persistent threats (APTs) and other malicious activities.