This detection rule identifies the execution of Sysinternals tools that have been installed through AppX packages on Windows systems. These tools, including procdump, psexec, and others, are commonly used by attackers to perform tasks that could evade standard security measures by avoiding system paths typically monitored by security solutions. The rule specifically looks for EventID 201, which triggers when these tools are executed. By monitoring such executions from installed AppX packages, organizations can detect potential misuse and better understand unauthorized access or actions within their environments. The rule is designed to operate within the App Model Runtime service on Windows and is tagged under defense evasion and execution attack types. While it holds a lower severity level, false positives can occur due to legitimate use of these applications from the Windows Store.