This detection rule identifies potential direct system calls to the NtOpenProcess function from NTDLL, which can be indicative of malicious behavior. The rule monitors various process access activities in a Windows environment, focusing on calls that may signal attempts to manipulate or interact with other processes without using the standard API calls. The detection logic includes specific selection criteria such as CallTrace starting with 'UNKNOWN', and several filters that exclude known benign behaviors based on the source and target image paths, ensuring that the alerts generated are likely to represent genuine threats rather than false positives. Some exclusions include common software like Microsoft Teams, Adobe Acrobat, and VS Code. The rule is designed to aid in understanding potential exploitation tactics typically associated with malware like Cobalt Strike or similar attack frameworks.