This detection rule identifies potentially malicious behavior where Git hooks are leveraged to execute processes within the System32 directory on Windows systems. Adversaries may use command and script interpreters, such as those provided by Git, to run various scripts or binaries, which can lead to unauthorized access or system compromise. The detection focuses on finding instances where Git hooks trigger the creation of a process in the System32 directory. It explicitly analyzes logs from Windows Event or Sysmon for process creation events, paying particular attention to the parent process path to confirm that Git is indeed responsible for the action. The logic is implemented through a Splunk query that filters events by the specified criteria and extracts relevant information for further analysis. As a proactive measure, security analysts should monitor for this kind of behavior to prevent potential exploitation stemming from vulnerabilities like CVE-2024-32002.