This detection rule aims to identify the execution of malicious dynamic-link libraries (DLLs) through the legitimated tool Rasautou.exe. This tool, primarily intended for remote access and update purposes, can be misused by attackers to load arbitrary DLL files by specifying them in the command-line arguments. The rule focuses on detecting the presence of Rasautou.exe being called with the '-d' and '-p' flags, which were used to designate DLL paths and the specific function to execute, respectively. Due to changes in software versions, this rule is only relevant for Windows operating systems before version 10. Furthermore, the rule necessitates that Sysmon be configured or that specific updates are applied to ensure command-line auditing is active, which is crucial for effective monitoring and detection. The thresholds for detection hinge on examining process creation logs and matching specific attributes indicative of malicious behavior. The rule addresses the growing concern of threat actors utilizing common tools and functionalities to evade detection mechanisms and execute arbitrary code on compromised systems.