This detection rule aims to identify potentially suspicious searches for JSON Web Tokens (JWT) conducted via the command line interface (CLI) on Windows systems. JWTs are used widely for securely transmitting information between parties, and their exposure can lead to credential theft, particularly from Microsoft Office applications, where they are commonly used. The rule specifically looks for occurrences of specific strings in command line arguments that indicate the presence of JWT tokens. The primary strings of interest start with the base64url-encoded header typically associated with JWTs: "eyJ0eX" and "eyJhbG". By monitoring process creation events, this rule flags any command lines that contain these strings, indicating a potential attempt to search for or exfiltrate JWT tokens. Such activity may be an early indicator of malicious behavior, especially if tied to unauthorized access attempts or privilege escalation scenarios. This level of detection is categorized as medium due to possible false positives generated from legitimate administrative or scripting tasks that may resemble these patterns.