This rule detects the execution of uncommon assistive technology applications through the usage of AtBroker.EXE, a process involved in interfacing with accessibility features in Windows. Typically, AtBroker.EXE is used to facilitate connections between assistive technology programs and the Windows UI elements. The rule focuses on the command-line inputs linked with AtBroker.EXE, making a distinction between built-in applications that are generally considered safe and non-default applications that may be indicative of suspicious behavior. By monitoring specific parameters such as the command line for certain keywords and filtering out common assistive technologies, this rule aims to identify potential defense evasion techniques employed by malicious actors.