This detection rule identifies the execution of the DInjector PowerShell cradle pattern in Windows environments by monitoring process creation activities. The rule specifically looks for command lines that contain the indicators ` /am51` and ` /password`, which are characteristic of the DInjector tool usage. Implemented within a Sigma framework, the detection targets Windows systems and leverages the process creation log source to recognize instances where these specific command line flags are utilized. With an assigned critical severity level, the rule is formatted to reduce false positives, making it highly relevant in scenarios where defense evasion tactics are employed by attackers. References for additional context and details about the DInjector tool can be found in the linked GitHub repository. The rule is authored by Florian Roth from Nextron Systems and was last modified in February 2023, indicating ongoing relevance and potential updates to detection methods for this threat.