This detection rule identifies the execution of a renamed version of the PAExec utility, which is frequently leveraged by attackers for lateral movement within networks. PAExec is a legitimate tool for managing remote execution, but when used illegitimately with renamed executables, it signals potential malicious activity. The rule inspects process creation logs on Windows systems, aiming to catch instances where PAExec or its renamed variants are executed without following the standard file locations. Particular attention is given to specific hash values associated with known PAExec binaries to minimize false positives and ensure that legitimate administrative activities do not trigger alerts. The detection logic combines selection criteria (including application description and filename matching) and exclusion filters based on known safe paths, enhancing the accuracy of the alerts generated by this rule.