This detection rule flags suspicious uses of the ShellExec_RunDLL function, a method commonly exploited in attacks such as the raspberry-robin incident. The rule monitors Windows process creation activities for command lines that invoke ShellExec_RunDLL, indicating potential malicious intent. Specifically, it targets commands that reference typical Windows execution bypass techniques, validating the presence of known suspicious command-line arguments. By requiring all specified conditions in the detection selections to be true, the rule intensifies its focus on contexts where this function could be manipulated for defense evasion purposes. This type of monitoring is critical for identifying pre-ransomware activities and other malicious behaviors associated with process creation on Windows systems.