The detection rule identifies the execution of Internet Explorer (iexplore.exe) with the -extoff command-line flag, which is designed to disable all browser extensions. This action is commonly exploited by malicious actors to initiate a browser session that is free from the protective measures typically enforced by security tools, including antivirus extensions and company-specific add-ons generated through group policy. By launching iexplore.exe in this manner, attackers can effectively avoid detection while executing activities such as accessing phishing sites or command-and-control servers, or downloading harmful software. Although legitimate users like IT administrators may utilize this flag for troubleshooting, its presence in standard enterprise usage is infrequent and thus flagged as suspicious behavior, especially if invoked by Office applications or automated scripts. The rule leverages data from Sysmon and Windows Event Log to monitor and detect instances of this process, providing valuable insight for anomaly detection on endpoints.