This detection rule identifies unusual network activity originating from trusted Windows system binaries, which are often leveraged by adversaries to bypass security mechanisms and execute malicious payloads. By monitoring established network connections from these binaries, it aims to detect potential evasion tactics used by attackers. The rule utilizes EQL (Event Query Language) to observe sequences of process execution and associated network events, enabling the detection of known developer utilities being abused for malicious purposes. A thorough investigation guide is provided for analysts to follow-up on alerts, including examining process execution chains, analyzing DNS cache entries, reviewing abnormal behaviors, and investigating host characteristics for signs of compromise. The rule is integrative with various data sources like Sysmon and Elastic Defend, providing a comprehensive view of system activities. The detection leverages MITRE ATT&CK techniques like Masquerading and the use of Trusted Developer Utilities for proxy execution, ensuring that potential threats are assessed with respect to common evasion practices.