This rule detects the execution of the Windows logoff command line, specifically focusing on the `shutdown.exe` process with parameters that indicate a logoff action. It leverages data obtained from Endpoint Detection and Response (EDR) agents, which capture telemetry from endpoints. The rule stipulates conditions for recognizing the command, such as searching for the command with specific flags that dictate logoff and ensuring that these processes correspond with known malicious patterns associated with Advanced Persistent Threats (APTs) and Remote Access Trojans (RATs). Given the significance of this activity within a malicious context, this detection rule is essential for preventing operational disruptions or data loss that could result from unauthorized system logoff commands. The implementation requires correct data ingestion from EDR logs and mapping of processes into the Splunk data model. This detection system prioritizes highlighting unusual command executions that may indicate a security incident.