This detection rule is designed to identify the execution of the Remote Utilities Remote Access Trojan (RURAT), specifically when it is executed with a renamed executable. RURAT is known to be a tool often misused for unauthorized remote access and control over compromised systems. The detection focuses on the 'Product' field in the PE (Portable Executable) header to confirm that a process identified as 'Remote Utilities' is being executed. The filter is applied to ensure that it only triggers for specific renamed file names, \rutserv.exe and \rfusclient.exe, which are commonly associated with RURAT. This rule utilizes the process creation log data from Windows systems, enabling timely detection of potentially malicious activities that involve this RAT. The detection is marked with a medium severity level due to the inherent risks that come with abuse of such applications for remote access. It is recommended to validate any alerts generated by this rule against known good processes to minimize false positives.