This detection rule identifies potential instances of process hollowing by checking for discrepancies between the memory image of a process and its corresponding disk image. Process hollowing is a technique where a legitimate process is hijacked and replaced in memory with malicious code, allowing malware to execute under the guise of a legitimate application. The detection is achieved by monitoring processes that exhibit behavior where their image on disk does not match the running image in memory. The rule specifically isolates instances when the image type indicates that it has been replaced and introduces certain filters to narrow the focus to key directories typical of legitimate Windows installations and well-known applications like Microsoft Edge and Opera. This helps prevent false positives by ensuring that only processes outside expected locations are flagged. The rule is designed to apply to Windows operating systems and contributes to security postures focused on privilege escalation and defense evasion tactics. Proper configuration of monitoring software capable of interpreting these discrepancies is required to leverage this detection rule effectively.