This detection rule aims to identify potential initial access attempts through DLL search order hijacking, specifically by monitoring the creation of DLL files in directories associated with well-known desktop applications like Slack, Teams, and OneDrive. Malicious actors may attempt to exploit the way DLLs are loaded by legitimate processes, causing the system to load and execute malicious code instead. The rule detects suspicious activities where processes commonly leveraged by attackers (like cmd.exe or powershell.exe) attempt to create DLL files under user directories or application-specific folders. The detection logic compares the target filenames to look for any DLL files being created in these sensitive locations, particularly focusing on certain applications known for their susceptibility to such exploits. An additional filtration condition is in place to eliminate common false positives by excluding specific legitimate command prompt usage scenarios.