The detection rule targets the execution of 'DirLister.exe', a tool used to quickly list the files and directories on a Windows system. Initially designed for legitimate purposes, its usage has been associated with malicious activities, particularly by the BlackCat ransomware group, who reportedly leverage this utility to enumerate accessible directories and files as part of their attack methodology. The rule employs a straightforward selection mechanism to identify instances when 'DirLister.exe' is executed via process creation events. Given its potential for false positives due to legitimate administrative activities, the rule has been classified with a low severity level. Analysts must evaluate contextual usage to differentiate between benign and malicious instances effectively. This rule is part of a broader effort to enhance detection capabilities against threats that misuse commonly available tools for nefarious outcomes.