This detection rule identifies process injection attempts on Windows systems, specifically targeting processes that originate from non-standard file paths, indicating potential malicious behavior. The rule leverages Sysmon's EventCode 8, which tracks remote thread creation in another process. By filtering out known system directories such as 'C:\Windows\' and 'C:\Program Files\', it focuses on unusual process activity that may be indicative of privilege escalation or evasion tactics employed by cyber adversaries. If this behavior is confirmed as malicious, it can lead to the execution of arbitrary code, resulting in unauthorized access and further system compromise. Implementing this rule requires ingestion of Sysmon data and appropriate configurations in Splunk to monitor and alert on these suspicious activities effectively.