diff --git a/rules/defense_evasion_potential_process_doppelganging_injection.yml b/rules/defense_evasion_potential_process_doppelganging_injection.yml
deleted file mode 100644
index da2a1f306..000000000
--- a/rules/defense_evasion_potential_process_doppelganging_injection.yml
+++ /dev/null
@@ -1,58 +0,0 @@
-name: Potential Process Doppelganging
-id: eb34cf6e-ccc3-4bce-bbcf-013720640a28
-version: 1.0.2
-description: |
-  Adversaries may inject malicious code into process via process doppelganging
-  in order to evade process-based defenses as well as possibly elevate privileges.
-  Process doppelganging is a method of executing arbitrary code in the address space
-  of a separate live process.
-
-  Windows Transactional NTFS (TxF) was introduced in Vista as a method to perform
-  safe file operations. To ensure data integrity, TxF enables only one transacted
-  handle to write to a file at a given time. Until the write handle transaction is
-  terminated, all other handles are isolated from the writer and may only read the
-  committed version of the file that existed at the time the handle was opened. To
-  avoid corruption, TxF performs an automatic rollback if the system or application
-  fails during a write transaction.
-
-  Although deprecated, the TxF application programming interface (API) is still enabled
-  as of Windows 11.
-
-  Adversaries may abuse TxF to a perform a file-less variation of Process Injection.
-  Similar to Process Hollowing, process doppelganging involves replacing the memory of
-  a legitimate process, enabling the veiled execution of malicious code that may evade
-  defenses and detection. Process doppelganging's use of TxF also avoids the use of
-  highly-monitored API functions such as NtUnmapViewOfSection, VirtualProtectEx, and
-  SetThreadContext.
-
-  Process Doppelganging is implemented in 4 steps:
-
-  1. Transact – Create a TxF transaction using a legitimate executable then overwrite
-  the file with malicious code.
-  2. Load – Create a shared section of memory and load the malicious executable.
-  3. Rollback – Undo changes to original executable, effectively removing malicious code
-  from the file system.
-  4. Animate – Create a process from the tainted section of memory and initiate execution.
-labels:
-  tactic.id: TA0005
-  tactic.name: Defense Evasion
-  tactic.ref: https://attack.mitre.org/tactics/TA0005/
-  technique.id: T1055
-  technique.name: Process Injection
-  technique.ref: https://attack.mitre.org/techniques/T1055/
-  subtechnique.id: T1055.013
-  subtechnique.name: Process Doppelganging
-  subtechnique.ref: https://attack.mitre.org/techniques/T1055/013/
-references:
-  - https://www.ired.team/offensive-security/code-injection-process-injection/process-doppelganging
-  - https://www.malwarebytes.com/blog/news/2018/08/process-doppelganging-meets-process-hollowing_osiris
-
-condition: >
-  sequence
-  maxspan 2m
-    |create_file and thread.callstack.symbols imatches ('kernel32.dll!CreateFileTransacted*', 'ntdll.dll!RtlSetCurrentTransaction')| by ps.uuid
-    |spawn_process| by ps.parent.uuid
-action:
-  - name: kill
-
-min-engine-version: 3.0.0
diff --git a/rules/defense_evasion_process_creation_via_ntfs_transaction.yml b/rules/defense_evasion_process_creation_via_ntfs_transaction.yml
new file mode 100644
index 000000000..866a120b3
--- /dev/null
+++ b/rules/defense_evasion_process_creation_via_ntfs_transaction.yml
@@ -0,0 +1,39 @@
+name: Process creation via NTFS transaction
+id: eb34cf6e-ccc3-4bce-bbcf-013720640a28
+version: 2.0.0
+description: |
+  Adversaries may inject malicious code into process by abusing NTFS transactions
+  to avoid writing the final executable image to disk. Attackers exploit TxF API
+  and low-level process creation internals to evade traditional file-based detection.
+labels:
+  tactic.id: TA0005
+  tactic.name: Defense Evasion
+  tactic.ref: https://attack.mitre.org/tactics/TA0005/
+  technique.id: T1055
+  technique.name: Process Injection
+  technique.ref: https://attack.mitre.org/techniques/T1055/
+  subtechnique.id: T1055.013
+  subtechnique.name: Process Doppelganging
+  subtechnique.ref: https://attack.mitre.org/techniques/T1055/013/
+references:
+  - https://www.ired.team/offensive-security/code-injection-process-injection/process-doppelganging
+  - https://www.malwarebytes.com/blog/news/2018/08/process-doppelganging-meets-process-hollowing_osiris
+
+condition: >
+  sequence
+  maxspan 2m
+    |create_file and
+     evt.pid != 4 and thread.callstack.symbols imatches
+                    (
+                      'kernel32.dll!CreateFileTransacted*',
+                      'ntdll.dll!RtlSetCurrentTransaction'
+                    )
+    | by file.name
+    |spawn_process and
+     ps.name != base(ps.exe) and
+     thread.callstack.symbols not imatches ('ntdll.dll!*CreateUserProcess')
+    | by ps.name
+action:
+  - name: kill
+
+min-engine-version: 3.0.0