Technical detection rule for PTC Windchill Gateway exploitation leveraging Windchill MethodServer log4j events. This anomaly looks for web requests that indicate CVE-2026-4681-style abuse via gateway paths and embedded parameters that could trigger OS command execution or local file reads. Specifically, it monitors Windchill Gateway endpoints for patterns such as run?c=, run?p=, .jsp?c=, and .jsp?p=, including gateway paths like GW/run, WindchillGW/GW/run, WindchillAuthGW/GW/run, and JSP-based entry points (e.g., dpr_<8 hex>.jsp). When a request matches these patterns, the rule parses the log4j payload to extract event time, source IP, HTTP method, URI, and query string, and then derives the parameter type (c for command execution, p for file read) and the corresponding value. It differentiates two event types (servlet_request and method_context_servlet_request) to map fields such as src_ip, uri_path, query_string, http_method, and status. The detection excludes benign echoes (e.g., GW_READY_OK) and focuses on cases where query_param is c or p. The activity is classified as command_execution_parameter or file_read_parameter and attributed to the originating source IP. The rule aggregates findings by source IP, parameter type, and parameter value, and surfaces first/last seen times, log levels, and relevant URIs. It is aligned to CVE-2026-4681 and maps to MITRE techniques T1190 (Exploit Public-Facing Application), T1059 (Command-Line Interface) and T1005 (Data from Local System) in its analytics. The rule is designed to pair with Windchill log4j logs (Application Log data source) and supports threat hunting, incident response, and risk attribution for Windchill exploitation attempts. References and context include advisories and CVE details. The analytic story label is “PTC Windchill Exploitation.” Short-term actions include validating hits against red-team tests or scans to reduce false positives and reviewing corresponding logs for corroborating indicators.