This detection rule is designed to identify potentially malicious activity involving the Git version control system on Windows platforms. Specifically, it monitors for command invocations of 'git clone' or 'gh clone' commands within the last two hours. The rule utilizes a Snowflake logic format SQL query to inspect process event logs collected from CrowdStrike endpoint detection and response (EDR) systems. Given recent vulnerabilities, particularly CVE-2020-27955 related to Git LFS, these commands could signal an attempt to exploit these vulnerabilities for remote code execution. By continuously monitoring for such command usage, the rule aims to alert security teams to suspicious activities associated with potential ingress tool transfers or malicious code execution attempts. The alert generation depends on the data categorization of EDR logs, ensuring responsiveness to potential threats arising from repository cloning that could compromise system security.