This detection rule identifies instances of dnx.exe being executed, which is a .Net execution environment that can be exploited by adversaries to launch unsigned code. dnx.exe, as part of 'Living Off the Land Binaries and Scripts' (LOLBAS), can be misused under circumstances where application whitelisting is employed, giving attackers a method to run unauthorized code while appearing legitimate. The rule tracks Event ID 4688, which logs process creations on Windows systems, specifically looking for occurrences of dnx.exe. The query collects data from endpoint event logs, organizes it by time and host, and summarizes relevant process details such as user, process IDs, and parent processes for analysis, making it a key detection for potential system binary proxy execution attempts.