legitimate explorer.exe run from cmd.exe

source: <a href=https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_explorer_lolbin_execution.yml>sigma
technicques: t1218

Techniques

Attackers can use explorer.exe for evading defense mechanisms

condition: selection
selection:
  CommandLine|contains: explorer.exe
  Image|endswith: \explorer.exe
  ParentImage|endswith: \cmd.exe