This detection rule identifies potential malicious process executions originating from suspicious folders that threat actors may exploit to evade detection. By analyzing process execution logs, specifically looking for processes starting from certain system folders and locations typically associated with deceptive behavior, the rule flags any anomalies. The detection logic uses Sysmon EventCode 1, capturing process creation events while applying regex to filter out known safe paths. It also ensures that parent process paths do not originate from specific benign locations, thus minimizing false positives. The aim is to uncover potential masquerading tactics as listed in the MITRE ATT&CK framework, specifically T1036, which involves altering file names or locations to appear legitimate. The rule leverages Splunk for its implementation, processing collected endpoint data to proactively detect suspicious behavior and enhance endpoint protection against potential exploits.