This detection rule identifies the execution of potentially malicious Windows processes that are running outside of their expected directories, specifically targeting well-known system executables that are often abused by adversaries. Commonly exploited processes include 'svchost.exe', 'powershell.exe', and others that might be mimicked in an effort to evade security measures. By monitoring for these processes operating outside of the standard `\Windows\system32` and `\Windows\SysWOW64` paths, this rule helps in the early detection of intrusion attempts and malware masquerading as legitimate services. The rule leverages Splunk query capabilities to monitor for events that either match specific Event IDs associated with process creation (EventCode=1), or identify common legitimate executables through regex checks against their usual file paths. It is particularly relevant for tracking known threat actors such as Flax Typhoon and Vice Society, who employ these tactics.