This rule detects the utilization of the Rcedit tool, which can be employed to alter the metadata of executable Portable Executable (PE) files. Such alterations might be indicative of defense evasion techniques, where attackers might rename system utilities or functionalities to disguise their malicious activities. The rule focuses on monitoring specific command line arguments and the description fields associated with process creation events, particularly those that mention modifications to crucial PE metadata elements, such as the original filename and product details. Given that legitimate users might also use Rcedit for benign purposes, the rule incorporates an awareness of possible false positives resulting from authorized administrative actions. By applying this rule, organizations can improve detection abilities concerning potential misuse of the Rcedit tool while remaining vigilant about legitimate administrative tasks.