This detection rule identifies the enumeration of specific dynamic link libraries (DLLs) or executables (EXEs) within a Windows environment using the 'tasklist.exe' command. Attackers often employ this command to list active processes and seek out the process identifier (PID) associated with a target DLL, which allows them to potentially dump process memory or engage in other malicious activities aimed at gathering sensitive information. By monitoring the command line usage of 'tasklist.exe' for specific parameters, particularly those containing 'rdpcorets.dll', the rule effectively identifies when a process is being examined for malicious intent. The rule is currently marked as experimental, indicating ongoing adjustments or validations are probable to ensure reliability in detection.