This analytic rule detects potential path traversal command-line executions that are commonly exploited in malicious documents to execute code through the Microsoft Support Diagnostic Tool (msdt.exe). Such behaviors can circumvent security controls and lead to unauthorized code execution, privilege escalation, or persistence strategies by attackers. By focusing on specific patterns in process paths, using data from Endpoint Detection and Response (EDR) solutions, this detection rule highlights instances where commands may try to manipulate path structures to access unauthorized data or execute malicious scripts. It can identify the misuse of living-off-the-land binaries (LOLBins), which are legitimate tools that attackers frequently abuse to carry out their goals without raising alarms, thereby enhancing the overall security posture of the monitored environment.