This detection rule identifies potential threat actor activity related to process creation using the Sysnative folder on 64-bit Windows systems. The Sysnative folder is a system folder that allows 32-bit applications to access 64-bit system paths by bypassing the File System Redirector. This behavior is commonly associated with CobaltStrike, a known penetration testing tool that can be leveraged by malicious actors to gain unauthorized access to systems. The rule executes queries against EDR logs to find instances where processes are initiated from the Sysnative folder. The use of regex to match process paths to 'Windows\Sysnative\' indicates targeted monitoring for specific behaviors indicative of evasion techniques. While this rule is essential for detecting potential threats, it is advised to allowlist legitimate processes to minimize false positives, as the Sysnative folder may be accessed by valid system operations.