This detection rule identifies instances where the legitimate Windows utility `PsExec.exe` has been renamed and executed. Renaming `PsExec.exe` is a common evasion technique employed by attackers to bypass security mechanisms while executing commands remotely. This rule utilizes telemetry from Endpoint Detection and Response (EDR) agents, specifically looking at process names and original file names captured through various logging sources such as Sysmon and Windows Event Logs. By filtering for processes not named `psexec.exe` or `psexec64.exe` but with an original file name of `psexec.c`, the rule aims to detect potentially malicious behavior indicative of lateral movement or unauthorized access attempts. The implementation of the rule requires the ingestion of specific process-related logs and careful mapping to the Endpoint data model to ensure accurate detection of renamed `PsExec` executions. This analytic is crucial for monitoring endpoint security and interrupting harmful activities that may arise from compromised accounts or systems.