This detection rule identifies instances where executables have been launched by cmd.exe, particularly focusing on certain known threat actor techniques that spawn potentially malicious processes. When cmd.exe is used as a parent process, the rule captures events like powershell.exe, rundll32.exe, cscript.exe, and similar executables executing as child processes. The rule leverages Windows Event ID 4688, which logs process creation events, and it filters these events to pinpoint runs initiated by cmd.exe, applying regex to confirm the parent-child relationship between cmd.exe and these executables. The detection scope is enriched by referencing specific threat actor associations like APT28 and REvil, along with software commonly used in attacks such as Alchimist and AvosLocker. This comprehensive approach aids in detecting execution attempts potentially indicating malicious activity on endpoints.