This rule detects an anomaly within Windows environments wherein a 32-bit process located in C:\Windows\SysWOW64\ attempts to execute a binary from C:\Windows\System32\. Typically, 32-bit processes should only interact with 32-bit binaries, so this behavior can signify potential security issues such as process injection, privilege escalation, or execution hijacking. To function effectively, the detection relies on telemetry from Sysmon Event ID 1 and Windows Event Log Security ID 4688, indicating process creations. It leverages Splunk's technology to correlate logs and generates alerts when these execution patterns are found, assisting security teams in identifying potentially malicious activity. Careful attention must be given to known false positives which include legitimate system processes or software utilities. In the face of triggering by unknown or unusual parent processes, deeper investigations are warranted.