This detection rule identifies instances where a process attempts to access uncommon target images with a full access mask of 'PROCESS_ALL_ACCESS' on Windows systems. The specific target images being monitored include standard applications such as calc.exe, calculator.exe, mspaint.exe, notepad.exe, ping.exe, wordpad.exe, and write.exe. Access requests to these unexpected applications can indicate potential misuse or malicious intent, particularly in scenarios involving privilege escalation or defense evasion tactics. The rule operates under the premise that legitimate applications should not typically be subjected to this level of access under normal circumstances. This rule is tagged for defense evasion and privilege escalation attacks, specifically related to technique T1055.011, which describes process injection tactics. The detection relies on the log source from the Windows operating system and is still in an experimental phase as of May 2024.