This detection rule identifies instances of the Windows Microsoft Antimalware Service Executable (MsMpEng.exe) that are potentially compromised through DLL Search Order Hijacking techniques. It targets cases where the executable either has been renamed or is running from non-standard paths, which is typically anomalous behavior that could indicate an evasion tactic by malicious actors aiming to load harmful DLLs in the memory of legitimate processes. The rule employs Elastic Query Language (EQL) and looks for the executable's original file name against its running name and path. It raises a high severity alert with a risk score of 73 due to the potential grave implications of such activities. During investigations, analysts should assess the process details, parent processes, file modifications, and associated network activity to determine if a genuine threat exists, while also keeping in mind various legitimate scenarios that could trigger false positives.