LoFP / security audits, maintenance, and network administrative scripts may trigger this alert when run under web processes.

host.os.type:windows and event.category:process and event.type:start and process.args : * and
  process.parent.name:("w3wp.exe" or "httpd.exe" or "nginx.exe" or "php.exe" or "php-cgi.exe" or "tomcat.exe") and
  (
    process.name : ("cmd.exe" or "cscript.exe" or "powershell.exe" or "pwsh.exe" or "powershell_ise.exe" or "wmic.exe" or "wscript.exe") or
    process.name.caseless : ("cmd.exe" or "cscript.exe" or "powershell.exe" or "pwsh.exe" or "powershell_ise.exe" or "wmic.exe" or "wscript.exe")
  ) and
  not
  (
    process.command_line : (
      "cmd.exe /c mode CON" or
      "cmd.exe /s /c \"mode CON\"" or
      "cmd.exe /c \"mode\"" or
      "cmd.exe /s /c \"tput colors 2>&1\"" or
      "cmd.exe /s /c \"stty 2> NUL\"" or
      "cmd.exe /s /c \"stty 2>&1\"" or
      "cmd.exe /c \"stty 2>&1\"" or
      "cmd.exe /s /c \"ipconfig /all 2>&1\"" or
      "cmd.exe /s /c \"echo '%os%'\"" or
      *.\\install\\awk.exe*
    ) or
    process.args : (\(git or (*artisan* and *queue\:work*) or *rmdir* or "mode CON" or ver or ls or mode or dir) or

    (process.name:cmd.exe and process.parent.args : "c:\\\\xampp\\\\htdocs\\\\open-audit\\\\index.php") or

    (process.name:cmd.exe and process.args:("/V:ON" and "--header-html")) or

    (process.parent.args:"WebCession" and process.args:E\:\\Data\\CLM\\cession\\*.bat) or

    (process.parent.executable :"D:\\AiDKlinik\\php\\php-cgi.exe" and process.args:D\:\\AiDKlinik\\web*) or

    (process.parent.args :"E:/wamp64/bin/apache/apache2.4.62.1" and process.args:node*) or

    (process.parent.name:"php.exe" and process.name:"cmd.exe" and process.args:("/V:ON" and "/E:ON"))
  )