This detection rule monitors the Windows file system for the creation of a specific file named 'PROCEXP152.sys' within the local temporary folder of application data. The rule is important as this file is typically associated with Sysinternals Process Explorer, a legitimate tool, but its presence can also indicate the use of malicious tools such as KDU (Kernel Data Unhooker) or the Ghost-In-The-Logs framework, both of which utilize the PROCEXP152.sys driver. The rule implements a selection criteria that checks for the creation of this file while excluding known legitimate processes that may cause false positives. It highlights the risk that clever attackers could circumvent this detection by renaming the driver, thus it is categorized with a medium severity level. Consequently, while useful for identifying potential threats, this rule should not be solely relied upon for detection.