This detection rule identifies uncommon child processes that are spawned by the Add-In deployment cache updating utility, known as AddInUtil.EXE. This executable is potentially misused in attacks, where adversaries may use it to proxy execution through a malicious payload originating from a custom Addins.Store. The rule is built around specific process creation events, focusing on parents that match AddInUtil.EXE. As part of its logic, the rule filters out known benign child processes, such as conhost.exe and werfault.exe, to reduce false positives. It serves as an effective measure against exploitation techniques related to add-ins, particularly in a Windows environment.