This detection rule identifies potential defense evasion tactics employed by malicious actors or malware that involve the renaming of commonly used binaries on Windows systems. It leverages the Sysmon `OriginalFileName` attribute to detect when a process has been executed under a name that is different from its standard name. Attackers often rename tools such as `certutil.exe`, `mshta.exe`, and others in an attempt to circumvent security monitoring and identification. The rule specifically captures instances where processes are created under these modified names, alerting security teams to potential intrusions. Additionally, it considers the use of remote process execution tools like Sysinternals PsExec and Windows PowerShell. While the rule is designed to reduce false negatives, some custom applications using renamed binaries may generate false positives, which can often be addressed by whitelisting known benign processes. This detection is crucial in identifying tactics associated with defense evasion per the MITRE ATT&CK framework (T1036.003).