This detection rule focuses on identifying potentially malicious calls to the 'ShellExec_RunDLL' function exported from SHELL32.DLL using its ordinal rather than the typical function name. The use of ordinals in such calls may indicate a deliberate attempt by adversaries to evade detection mechanisms that monitor for the function's standard usage. Specifically, this rule captures processes where the parent command line includes SHELL32.DLL and calls one of several defined ordinals that are associated with invoking various commands. Additionally, the rule checks for the launch of suspicious child processes from various common command-line tools that are often leveraged in attack scenarios. By monitoring for this specific behavior, the rule aims to mitigate risks associated with pre-ransomware activities and other forms of evasive tactics employed by threat actors.