This detection rule identifies potential DLL injection attacks or execution attempts involving the "Tracker.exe" binary on Windows systems. The rule focuses on the behavior associated with the execution of "Tracker.exe"—specifically monitoring for its appearance in process creation logs. The rule sets criteria for identifying malicious activities that often leverage this executable for injection purposes. It detects instances where "Tracker.exe" is either directly executed or invoked with certain command line arguments indicative of DLL injection. The command line must include specific switches such as '/d' or '/c'. Additionally, processes initiated by MSBuild that attempt to execute "Tracker.exe" under certain conditions are flagged, particularly when they possess an error reporting flag that prompts for user input. The rule is structured to minimize false positives by allowing only specific command line usages and filtering out known benign instances, which may obfuscate the malicious usage of the binary. Overall, this rule is applicable for threat detection in Windows environments where monitoring for process creation and execution anomalies is crucial.