This detection rule aims to identify potential defense evasion tactics employed by threat actors, wherein they execute binaries under different names to evade detection mechanisms. The rule specifically looks for processes known to be commonly renamed by malware, using the Sysmon OriginalFileName data point. The defined selection includes processes such as 'Cmd.Exe', 'CONHOST.EXE', '7z.exe', and others that are often targets of renaming. The filter condition excludes specific cases where the image path matches known locations for these processes to ensure false positives are minimized, thereby increasing the accuracy of alerts regarding genuine threats. The source of detection leverages the process creation logs on Windows systems, enhancing the situational awareness for security teams monitoring endpoint behavior.