This detection rule identifies instances where 'explorer.exe' spawns 'PowerShell' or 'cmd.exe' processes, specifically focusing on executions initiated by LNK files. This behavior is linked to the ZDI-CAN-25373 Windows shortcut zero-day vulnerability, where crafted LNK files can execute malicious code via 'cmd.exe' or 'powershell.exe'. Such techniques have been exploited by various APT groups in targeted attacks delivered through HTTP and SMB methods. By utilizing Sysmon EventID 1 and Windows Event Log Security 4688 for monitoring these processes, this hunting rule aims to assist security teams in detecting and alerting on abnormal process spawning that may indicate malicious activities.