This detection rule identifies potential malign use of SysmonEnte, a tool designed to compromise the integrity of Sysmon (System Monitor) on Windows systems. Sysmon is a crucial component used for tracking system activity and enhancing visibility of process creation. When SysmonEnte is executed, it manipulates the Sysmon process and its capabilities, which could signify an attempt to obscure malicious activities and evade detection. The rule captures events where the Sysmon executable is accessed with specific granted access rights, and it employs a CallTrace filter to verify if the process behavior aligns with known indicators of malicious use. Additionally, filters are applied to ignore benign processes associated with trusted directories (such as Microsoft Windows Defender), focusing the detection on suspicious activities that deviate from regular behavior patterns. This rule is particularly useful for blue teams and incident response practitioners who aim to safeguard their systems from evasive techniques utilized by adversaries.