This detection rule identifies instances where the `rclone.exe` process has been renamed during execution, a technique often utilized by threat actors for data exfiltration. RClone is a command-line program primarily designed for managing file transfers to various cloud storage providers. The detection leverages telemetry from Endpoint Detection and Response (EDR) solutions, focusing on matching the original file name (`original_file_name`) to identify execution anomalies—where the process name itself does not align with the expected `rclone.exe`. Since ransomware groups utilize RClone for exfiltrating sensitive information, detecting this behavior could signify data exfiltration attempts or compromise, allowing for timely remediation actions to prevent significant data breaches.