Detects Mustang Panda tooling executed from a non-root C:\ location, focusing on USB/external storage scenarios. The rule targets known executable artifacts commonly used by Mustang Panda for initial access, lateral movement, or DLL side-loading when launched from non-C:\ paths, which is indicative of compromise via removable media or external drives. It leverages an Endpoint data model (Processes) sourced from EDR telemetry (Sysmon EventID 1, Windows Security event 4688, and CrowdStrike ProcessRollup2) to identify process creation events where the process_path does not begin with C:\ and the executable name matches a curated blocklist (e.g., atkexComSvcRes.exe, AtlTraceTool8.exe, GoogleUpdate.exe, Symantec variants, wsc_proxy.exe, etc.). The search collects contextual fields (process path, vendor_product, user, hashes, parent process, command line, and process metadata) to enable drilldown and risk scoring. This helps detect USB-mediated tool execution that could precede broader compromise, lockout, or data exfiltration. Administrators should align the data model mapping to their CIM and EDR integrations, and adapt the allowlist for legitimate external-drive usage in their environment. Consideration should be given to adjusting the non-C:\ root condition if alternate root devices are in use. MITRE techniques implicated include T1574.001 (Hide Artifacts: Hidden Files and Directories), T1204.002 (User Execution), and T1020 (Automated Exfiltration). This rule supports a Windows endpoint security posture and can be integrated into Splunk ES for alerting and investigations.