This detection rule aims to identify suspicious activity associated with the execution of a signed binary that is dropped by Kaspersky Lab Products Remover, commonly known as kavremover. This binary, especially when invoked with specific command-line arguments, can be exploited as a Living Off the Land Binary (LOLBIN) to carry out unauthorized operations such as executing arbitrary commands or other binaries. The primary selection criterion for detecting this malicious usage is to monitor the command line for the specific argument 'run run-cmd'. Additionally, the rule filters for processes that are parented by legitimate binaries like cleanapi.exe and kavremover.exe, ensuring that any execution not initiated through these valid processes is flagged. The implementation of this detection rule is vital to enhance vigilance against potential misuse of security tools, thereby protecting Windows environments from imminent threats facilitated by LOLBINs.