This rule detects the execution of the 'lodctr.exe' application, which is used to rebuild the performance counter registry values on Windows systems. Attackers can potentially manipulate this tool by providing a malicious configuration file, allowing them to overwrite the legitimate performance counter settings. This action could confuse security monitoring systems and evade detection, making it crucial for security teams to monitor its use. The rule captures events where 'lodctr.exe' is executed and specifically looks for command-line arguments that indicate the rebuilding of performance counters. The detection logic employs the process creation logs to identify when 'lodctr.exe' is run, checking both the image name and the command line for specific patterns that signify a potentially malicious use of this legitimate tool.