The detection rule identifies instances of the Add-In deployment cache updating utility (AddInUtil.exe) executed with unusual command-line parameters that are not the standard paths associated with Microsoft applications. Attackers may leverage AddInUtil.exe to invoke malicious payloads by manipulating the AddInRoot and PipelineRoot flags to point to their own add-ins, making this a potential vector for executing malicious code in the context of legitimate processes. The rule utilizes a combination of process creation logs and command-line parsing to detect these unusual patterns. It flags execution attempts that use the executable (AddInUtil.exe) in conjunction with uncommon paths for AddInRoot and PipelineRoot, explicitly excluding known legitimate paths. The detection is structured around specific criteria that must be met: the executable must be present, and the command line must include parameters signifying the specified roots but must not match typical paths. This approach helps to minimize false positives while effectively identifying potential misuse of the AddInUtil utility.