This threat detection rule identifies instances where the Windows command line utility, cmd.exe, creates a network connection. This behavior is often associated with adversaries downloading or executing malware from remote locations, as command line tools like cmd.exe can be used to exploit systems undetected. The detection logic leverages a sequence of process and network events, focusing on instances where cmd.exe is initiated and subsequently makes external network connections. Investigations may follow up on areas such as the process's execution chain, associated alerts within a 48-hour window, and the reputation of any domains contacted. The rule includes capabilities for analyzing command prompt behavior while providing a structured investigation guide to respond to detected incidents. Additionally, it outlines potential false positives, emphasizing the importance of context and baseline data.