This detection rule targets potential defense evasion attempts on Windows systems that utilize uncommon tools to access raw disk data. The approach involves monitoring specific execution paths and registry references that typically suggest legitimate application activity. By applying heavy filtering criteria against known, benign applications and system directories, the rule aims to minimize false positives and capture suspicious activity effectively. The rule outlines multiple filters to identify potential misuse of tools located in non-standard file paths or run by uncommon process images. Special focus is given to applications or tools that deviate from usual behavior, which can signify an attack, particularly in scenarios where adversaries may be attempting to bypass security controls or access sensitive data directly from disk devices.