The detection rule titled 'Suspicious Execution of Shutdown' monitors for potential misuse of the shutdown command on Windows systems. It specifically looks for instances where the command line includes execution of 'shutdown.exe' with indicators that suggest a system reboot ('/r') or shutdown ('/s'). These commands could be part of legitimate administrative tasks; however, they can also indicate malicious activity, especially if executed by unauthorized users or under suspicious circumstances. By analyzing process creation logs filtered for specific command-line arguments, this rule provides a crucial layer of security against potential abuse of system shutdown functionality, which can disrupt operations or facilitate other malicious actions. The rule is intended for medium-severity alerts, recognizing the balance between everyday administrative functions and nefarious actions that must be scrutinized. It contributes significantly to proactive threat hunting and incident response efforts.