This detection rule focuses on identifying suspicious command-line execution of the Add-In deployment cache utility, AddInUtil.exe, on Windows platforms. The rule is designed to catch instances where the utility is executed with unusual 'AddInRoot' or 'PipelineRoot' parameters that may indicate a security threat or exploitation attempt, particularly if they reference a local adversarial payload stored in non-standard directories such as Temp, Desktop, or Public directories. The detection logic includes checks for specific command-line arguments and their associated paths to flag potential misuse of the utility, which is often leveraged in defense evasion tactics during attacks. The rule encompasses multiple conditions, ensuring a comprehensive assessment of commands invoking AddInUtil.exe under suspicious circumstances. This proactive measure is critical in identifying attempts to execute malicious payloads possibly nested within legitimate application frameworks, thereby protecting organizational assets against advanced threats and exploitation strategies.