This analytic rule detects suspicious executions of the Windows command line utility cmd.exe using the 'set' command to fetch environment variables, specifically when the parent process is not a typical shell. The detection is designed to identify potentially malicious behavior, particularly from malware such as Qakbot, which leverages this technique to probe system configurations and gather information. The rule utilizes monitoring data from Endpoint Detection and Response (EDR) agents, focusing on the command-line activity linked with processes and their parent processes. When the execution of 'cmd.exe' with the 'set' command is traced back to a non-shell parent, it triggers an alert indicating potential compromise. This could suggest that the parent process has been hijacked allowing the attacker further access, command execution, or privilege escalation. Implementing this rule requires ingestion of comprehensive EDR logs including process GUIDs, process names, command lines, and parent process data. Mapping these logs to the Endpoint data model will enhance detection accuracy and response capabilities.