This detection rule identifies the execution of a proof-of-concept (PoC) related to the Sysmon vulnerability documented under CVE-2022-41120. The rule focuses on monitoring process creation events to pinpoint when the SysmonEOP executable (`SysmonEOP.exe`) is launched, as well as validating the integrity of the file through its import hash. Two specific import hashes are targeted: `IMPHASH=22F4089EB8ABA31E1BB162C6D9BF72E5` and `IMPHASH=5123FA4C4384D431CD0D893EEB49BBEC`. By configuring the detection to trigger on the presence of either of these hashes or on the specific executable name, the rule ensures that attempts to exploit the mentioned Sysmon vulnerability can be swiftly identified and investigated. Given the nature of this potential threat, the rule is categorized with a critical severity level, indicating a high priority for remediation. While the likelihood of false positives is deemed unlikely, vigilant monitoring is still advised to ensure an accurate response to alerts.