This rule detects the execution of LOLBAS (Living Off the Land Binaries and Scripts) processes that have been renamed by the threat actor. The rule utilizes various data sources, including Sysmon and Windows Event Logs, to identify instances where the executed process name does not match its original file name. Renaming executables can be a tactic used by adversaries to evade detection and carry out malicious activities while appearing benign. The detection logic focuses on filtering out processes with specific characteristics that could indicate misbehavior, such as renaming patterns and execution paths commonly associated with system binaries. The rule is particularly useful in identifying potential evasion tactics used in attacks that incorporate legitimate Windows processes for malicious conduct. This enhanced visibility into process execution helps security teams investigate and respond to suspicious activities effectively.