This detection rule aims to identify potential data exfiltration activities conducted using the 'query.exe' system binary on Windows systems. The 'query.exe' command is typically used for querying session information and running processes on a Windows machine. By monitoring process creation events, this rule triggers when 'query.exe' is invoked with specific command-line arguments that suggest an attempt to redirect and capture sensitive data about sessions and processes. Examples of such command-line conditions include usage of `session >` and `process >`. The presence of such command arguments in conjunction with the specific image path indicates suspicious behavior, as attackers may exploit legitimate system tools to conduct reconnaissance or exfiltrate data for later exploit. Overall, this rule serves to detect misuse of a common Windows binary on systems and should be part of a broader threat detection strategy.