The detection rule is designed to identify potential command obfuscation techniques used by adversaries attempting to evade detection through the use of visually similar Unicode modifier letters. Specifically, these characters are used in process command lines to disguise malicious activities from standard string-based detection mechanisms. The rule leverages EQL (Event Query Language) to trigger alerts when specific processes on Windows-based endpoints are executed with command lines that include these Unicode characters. This threat detection approach aims to catch adversaries utilizing sophisticated obfuscation methods that can bypass basic checks. The guide provides a meticulous investigation and response strategy, detailing how to analyze the process execution while considering possible false positives arising from legitimate use cases involving Unicode, such as internationalized applications. The investigation suggestions include reviewing process details, checking for persistence mechanisms, and correlating with other logs to ascertain broader attack patterns. In case of confirmed malicious activity, actions like isolating the host, terminating the process, collecting forensic evidence, and removing persistence entries are recommended.