This detection rule identifies potentially malicious executable files that attempt to evade security measures by masquerading as harmless file types, such as documents or images, on Windows systems. Attackers use this technique to trick users into executing these files, which may lead to unauthorized access or malware infections. The rule specifically looks for instances where executable files are logged under Sysmon EventID 29, indicating an executable creation event that has been incorrectly named. The detection logic uses a specific Splunk query to filter these events, ensuring that only those masquerading as non-executable formats such as .pdf, .jpg, .doc, etc., are flagged. Users are advised to configure Sysmon to log such events accurately, and ensure the associated Splunk macro settings are optimized for their specific environments to minimize false positives. The rule offers additional testing capabilities and drilldown searches for deeper investigation into identified incidents and integrates with broader risk assessments.