This detection rule aims to identify when a submodule from a GitHub repository is cloned onto a Windows system through Git. Adversaries may exploit a known vulnerability in Git (CVE-2024-32002) that allows files to be written not just in the intended submodule's worktree but also directly in the `.git/` directory. As a result, a malicious hook can be executed during the clone operation without the user's awareness or opportunity to inspect the code. The rule utilizes Windows Event ID 4688, which logs process creation events, to monitor for the presence of specific terms such as 'git', 'gh', 'submodule', and 'clone'. When detected, it collects relevant information (timestamp, host, user, process details) for further investigation. This defensive measure supports proactive monitoring against potential exploitation of this vulnerability and is part of the broader command-and-control technique T1105 (Ingress Tool Transfer).