This detection rule identifies the renaming of the 'microsoft.workflow.compiler.exe' executable, which is typically found in the Microsoft .NET Framework directory. The renaming of this executable is considered suspicious as it may be indicative of an attacker attempting to bypass security measures. The analytic utilizes data from Endpoint Detection and Response (EDR) sources, specifically focusing on process and original file names to detect potential malicious activity. If the renaming action is confirmed as malicious, it could allow an attacker to execute arbitrary code with potential consequences including privilege escalation and persistent access. Proper implementation of this detection mechanism requires the ingestion of relevant EDR logs that document process activities and command-line executions.