This detection rule aims to identify potentially malicious usage of the AdPlus.exe executable, which is included in the Windows Software Development Kit (SDK). AdPlus.exe is a legitimate tool used for debugging applications by generating memory dumps. However, it can also be exploited as a living-off-the-land binary (LOLBIN) by attackers to dump process memory and execute arbitrary commands, which underscores its dual-use characteristic that can facilitate evasion and execution tactics in cyber attacks. The rule monitors process creation events within a Windows environment and specifically checks for instances where AdPlus.exe is executed, either directly or via command-line parameters indicative of its misuse. Specifically, it looks for execution contexts characterized by command-line options typically related to accessing or interacting with different processes, such as obtaining process heap information or targeting specific processes for memory dumps. The inclusion of these command-line patterns narrows down the detection to scenarios that are more likely associated with malicious intent, while also acknowledging legitimate use cases such as debugging. As AdPlus.exe can be vital for troubleshooting, careful tuning and potential false positive management are essential to mitigate unnecessary alerts on legitimate applications.