The detection rule targets the process injection technique used by the LittleCorporal malware, specifically focusing on malicious documents generated by this tool. The rule inspects process access events on Windows systems, particularly monitoring instances where the Word executable (winword.exe) attempts to invoke processes related to the .NET framework. It utilizes a combination of process image names and call traces to identify potential exploitation attempts by this malware variant. The presence of 'UNKNOWN' in the call trace is indicative of anomalies often associated with malicious behavior, suggesting that the process may not be operating as expected. This detection mechanism helps in identifying and mitigating attacks that manipulate legitimate applications to execute malicious code.