This detection rule identifies instances where LOLBAS (Living Off The Land Binaries and Scripts) executables are being executed from paths that are not their expected locations. LOLBAS refers to native Windows binaries that are often utilized by threat actors to conduct malicious activities by masquerading as legitimate processes. Executions occurring outside of designated directories like 'Program Files' or 'Windows System32' could indicate attempts by adversaries to evade detection mechanisms and execute harmful code on a system. This rule is focused on gathering evidence from Sysmon Event ID 1 and Windows Event Log Security 4688, analyzing execution paths to flag any anomalies that suggest potential malicious behavior.