This detection rule aims to identify the execution of the Xwizard application (xwizard.exe) from non-default directories, a behavior indicative of potential abuse. Xwizard, a legitimate tool in Windows environments, can be exploited to sideload malicious versions of the associated library 'xwizards.dll' when run from unintended paths. This sideloading technique can aid attackers in executing arbitrary code under the guise of a system process. The rule utilizes event logs that monitor process creation activities within Windows environments. The detection logic specifies that the rule will trigger when the image name ends with 'xwizard.exe' but originates from any directory that is not among the designated legitimate system directories (C:\Windows\System32, C:\Windows\SysWOW64, or C:\Windows\WinSxS). False positives may arise for installations on non-C drives where the Xwizard executable might legitimately exist outside the expected paths.