This detection rule identifies potentially malicious execution of the Windows Defender utility 'OfflineScannerShell.exe' when it is run from an unusual directory. Under normal circumstances, this executable resides in a specific directory (C:\Program Files\Windows Defender\Offline\). However, the executable is susceptible to Dynamic Link Library (DLL) sideloading vulnerabilities, specifically looking for a DLL called 'mpclient.dll'. If 'OfflineScannerShell.exe' is invoked from a directory that does not conform to its standard location and attempts to load 'mpclient.dll' from the current working directory, this could signify an attempt to exploit the sideloading vulnerability for malicious purposes. The rule uses process creation logs to filter instances of 'OfflineScannerShell.exe' that do not meet the standard execution path, thereby highlighting potential evasion tactics employed by attackers attempting to use this executable to execute unwanted payloads.