This detection rule identifies the execution of Ruby via the command line interface on Windows systems using the '-e' flag. The '-e' flag allows users to provide Ruby code directly in the command line, which can potentially be exploited by malicious actors to execute arbitrary code or launch reverse shell connections. The detection rule leverages process creation logs to monitor for instances where the Ruby interpreter (ruby.exe) is executed with the '-e' flag, indicating the likelihood of a potentially malicious use case. The rule employs two selection criteria for effective detection: images ending in '\ruby.exe' and command line processes containing the ' -e' string, thereby ensuring comprehensive coverage of this execution pattern. By flagging such activities, system administrators and security teams can promptly investigate potentially unauthorized or malicious use of Ruby scripts within their environments.