WinWord.exe

This rule detects potential DLL side-loading attempts by identifying instances of Windows trusted programs (WinWord.exe, EXPLORER.EXE, w3wp.exe, DISM.EXE) being started after being renamed or from a non-standard path, which is a common technique to evade defenses by side-loading a malicious DLL into the memory space of a trusted process.

Adversaries may exploit Windows Management Instrumentation (WMI) to execute code stealthily, bypassing traditional security measures by loading `wmiutils.dll` from Microsoft Office applications, potentially indicating malicious execution.