This detection rule is designed to monitor the execution of processes on Windows systems, specifically targeting instances where a renamed version of 'BrowserCore.exe' is executed. 'BrowserCore.exe' is primarily utilized to extract Azure tokens, making its unauthorized execution a potential indicator of compromise or misuse. The rule leverages the process creation log source, capturing instances of processes with the original filename of 'BrowserCore.exe' while filtering out legitimate instances that may include the correct file path. The detection logic applies a selection criterion for processes that possess the original filename of 'BrowserCore.exe' and checks if the process image ends with 'BrowserCore.exe' but ensures that not one of the known legitimate filters is met. This combination helps ensure that the rule effectively identifies potential threats without generating excessive false positives, contributing to the overall security posture against token extraction and unauthorized access.