This detection rule identifies the execution of command-line interfaces such as PowerShell and CMD on a host system, which can be indicative of various malicious activity, particularly from advanced persistent threat (APT) groups. The rule leverages endpoint data from Windows Sysmon to capture events where the specified processes are invoked. It aggregates event data at one-minute intervals and looks for known patterns in the names of the executed processes that suggest potentially malicious activity. The effectiveness of this detection is enhanced by its ability to correlate execution with recognizably malicious actors and malware families, providing context for security analysts. Alleged actors associated with such command-line executions range from APT29 to Carbanak and various software exploits like Trickbot and Ryuk. This rule is a crucial measure for organizations to ensure that command-line execution is monitored, preventing exploitation by attackers that rely on command-line interfaces to deploy payloads and execute malicious commands on compromised hosts.