APT3-Style Remote Execution Pattern via cmd.exe

Detects cmd.exe with the /C parameter executing discovery commands typical of the APT3 profile (whoami, net user, systeminfo, nltest) when the parent process is unusual, indicating possible remote execution or lateral movement via command shell (T1059.003) as documented in APT3 TTP analysis