This detection rule identifies potential process injection attempts targeting Notepad.exe, leveraging Sysmon EventCode 10. The rule specifically looks for suspicious GrantedAccess values, which are associated with permissions to perform process injection (0x40 for PROCESS_QUERY_INFORMATION and 0x1FFFFF for all possible access). By filtering out common system paths such as System32, Syswow64, and Program Files, the rule minimizes false positives from legitimate system activities. This behavior is frequently linked to the SliverC2 framework, indicating potential attacks where an initial payload tries to execute malicious code within Notepad. Effective monitoring is essential, as successful injections can facilitate arbitrary code execution, privilege escalation, or sustained access to systems. The search query provides specific filtering parameters to pinpoint these injection attempts efficiently, allowing security teams to respond promptly to suspected malicious activities.