This detection rule identifies potential exploitation attempts of WPS Office through DLL hijacking, specifically via the `promecefpluginhost.exe` executable. The rule is designed to detect the loading of suspicious libraries that could indicate the exploitation of CVE-2024-7262 or CVE-2024-7263. These vulnerabilities can be targeted by attackers to execute arbitrary code. The rule uses EQL (Event Query Language) to scan logs from Windows endpoints, looking for events related to `promecefpluginhost.exe` that might involve suspicious DLL loading from specific paths, particularly temporary or network locations. The rule has a high-risk score of 73 and is categorized under the 'Initial Access' and 'Execution' tactics of the MITRE ATT&CK framework. The detection leverages logs from both Windows Sysmon and Elastic Defend data sources. A detailed investigation guide is included for responding to alerts, helping analysts distinguish real threats from false positives within enterprise environments that utilize WPS Office extensively.