This detection rule identifies the execution of .NET binaries from non-standard directories within Windows operating systems. The detection utilizes telemetry generated by Endpoint Detection and Response (EDR), which logs process activities, examining both process names and original file paths against a set of known safe directories. The macro `is_net_windows_file_macro` plays a crucial role in this comparison. The detection is essential because cyber adversaries frequently place malicious .NET executables in atypical locations to avoid detection by traditional security measures. Identifying these execution paths helps to mitigate risks like arbitrary code execution, privilege escalation, and persistent threats within an environment. The rule's implementation requires accurate ingestion of EDR logs, ensuring they are mapped properly to Splunk’s Endpoint data model for effective analysis on potential threats.