This detection rule aims to identify the execution of Sysinternals tools directly from the live version available on the internet (https://live.sysinternals.com) without prior installation on Windows systems. Sysinternals utilities are powerful tools used for system management, diagnosis, and troubleshooting. However, threat actors may exploit these tools for reconnaissance and privilege escalation, as well as lateral movement within a network. The rule uses Splunk to track command line invocations involving the Sysinternals live site. When a process is initiated from this source, it triggers the detection logic, which captures relevant event details. This proactive monitoring helps identify potentially malicious activity by flagging unauthorized uses of Sysinternals tools, alerting security teams to further investigate the context and intent behind these actions.