This detection rule identifies the execution of renamed versions of the Mavinject executable, specifically 'mavinject32.exe' and 'mavinject64.exe', which are known for process injection capabilities. The Mavinject tool can be manipulated to perform process injection using the '/INJECTRUNNING' flag particularly in various attacks, hence its renaming serves as an evasion tactic. The rule operates by monitoring process creation events on Windows systems, focusing on specific executable names and their corresponding paths. The sophisticated design of this detection allows for filtering out common noise while precisely targeting potential malicious activities linked to the exploitation of Mavinject. The detection criteria employ a combination of selection based on original file names and a filtering mechanism that examines the process image paths. This ensures that alerts are raised primarily for truly anomalous activity, thus minimizing the risk of false positives while focusing on high-risk incidents of process hijacking or injection.