This detection rule identifies potential attempts of DLL search order hijacking involving the Windows process `iscsicpl.exe`. It analyzes instances when `iscsicpl.exe` loads a DLL from a location not typically associated with it, indicating possible malicious activity aimed at executing unauthorized code. The rule leverages telemetry from Endpoint Detection and Response (EDR) sources, primarily monitoring child processes spawned by `iscsicpl.exe`. Such activities can lead to serious security breaches, including arbitrary code execution, privilege escalation, or establishing persistence in the affected system. To achieve this, the detection utilizes a combination of Sysmon EventID 1, Windows Event Log Security 4688, and CrowdStrike ProcessRollup2 data, accurately correlating process creation events to detect anomalies effectively.