This detection rule targets potential misuse of Git hooks to execute unauthorized processes within the Windows System32 directory, exploiting command and scripting interpreter functionalities. Adversaries may utilize these hooks to invoke commands or scripts that spawn malicious processes, thereby leveraging legitimate tools (like Git) in a compromise. The rule is designed to capture instances where a process initiated by Git leads to the execution of a process located in the System32 directory, which is a common target for malicious activity due to its integral role in Windows OS operation. The logic implemented utilizes both Windows Event and Sysmon logs, focusing on Event ID 4688, which provides insights into process creation events with detailed information about parent-child relationships of processes. To enhance rule precision, it filters operations specifically where the parent process is Git and the child process resides within the C:\Windows\System32 path, excluding benign instances. The rule also references the vulnerability associated with CVE-2024-32002 which highlights the potential risks linked to this type of abuse.