This detection rule targets potential misuse of MeshAgent, a remote access tool, by monitoring command execution on the target host. The focus is on the use of specific parent and child processes to uncover any malicious command execution. Threat actors can utilize the MeshAgent's functionalities to execute commands via `win-console`, which may obscure their activities, or use `win-dispatcher` to run harmful code through inter-process communication (IPC). The rule is designed to trigger alerts when child processes, specifically `cmd.exe`, `powershell.exe`, or `pwsh.exe`, are launched by `meshagent.exe`. Careful analysis of the execution context is required, especially in environments where MeshAgent is used legitimately, to avoid false positives. This detection can help in early identification of command execution attempts indicative of an intrusion or malicious activity.