This detection rule identifies potential malicious behavior by monitoring system processes that run from unexpected locations outside the normal directories `C:\Windows\System32\` and `C:\Windows\SysWOW64`. Utilizing data sourced from Endpoint Detection and Response (EDR) agents, it analyzes process paths, process names, and process hashes. When processes are found running from atypical locations, it raises a flag for potential masquerading attempts—where attackers may create or launch malicious executables disguised as legitimate system processes. This kind of behavior is critical to monitor since it can enable attackers to execute arbitrary code, escalate privileges, or maintain persistence within the compromised environment. The rule employs a Splunk-based search query to filter and identify processes that deviate from expected execution paths, thus allowing security teams to respond proactively to potential threats.