This analytic rule is focused on detecting process injection attempts into commonly abused Windows processes such as notepad.exe, wordpad.exe, calc.exe, and others using Sysmon EventID 10. It specifically monitors for suspicious GrantedAccess flags associated with such operations, which include 0x40 (PROCESS_QUERY_INFORMATION) and 0x1fffff (all possible access rights). The rule also excludes events where the source process is from recognized legitimate paths (System32, Syswow64, and Program Files) to reduce false positives. The detection is critical because process injection is a common technique used by malware frameworks, notably the SliverC2 framework, to execute malicious code, potentially leading to privilege escalation or persistence in an attacked environment. The implementation of this rule requires proper Sysmon logging and acceptable filtering of trusted source images to minimize noise while ensuring detection of genuine threats.