This detection rule identifies potential indicators of Cobalt Strike beacon activity through specific patterns related to process creation in Windows. It focuses on various command-line executions, particularly those ending with 'cmd.exe /C whoami', which is commonly used in Cobalt Strike's lateral movement tactics. Additional patterns include the use of 'runonce.exe' and 'dllhost.exe' with command lines that contain pipe communications ('> \\\\.\\pipe'), a technique often leveraged for interprocess communication or to obfuscate malicious activities. The rule uses entity selections such as 'selection_generic_1', 'selection_generic_2', 'selection_conhost_1', and 'selection_conhost_2' to capture related suspicious activities, allowing for detection of potentially harmful executions spawned from known or unknown processes. The overall condition stipulates that at least one of these selections must trigger for an alert to be generated, highlighting the rule's flexibility and responsiveness to various process execution patterns associated with Cobalt Strike.