The detection rule identifies potentially malicious usage of the dotnet-trace.exe utility, which can be exploited by attackers for binary proxy execution. The rule focuses on monitoring command-line arguments that may indicate the tool is being used for this purpose. Specifically, the rule looks for instances where the command line includes both the flag '--' and the word 'collect', coupled with the execution of an image that ends with '\dotnet-trace.exe' or is linked to 'dotnet-trace.dll'. Such a combination suggests an attempt to leverage this legitimate tool for executing unauthorized code, reflecting tactics commonly employed by threat actors during intrusions. The detection is categorized under process creation events on Windows systems, making it particularly relevant in environments where .NET applications are prevalent. Potential false positives may arise during legitimate debugging and tracing operations; hence, users are advised to review the context of the execution carefully.