This detection rule identifies the execution of the ScreenConnect application, which is commonly used for remote access to systems. The criteria for detection is based on specific argument patterns found in the command-line options when the application is invoked. These command-line parameters suggest the initiation of a remote session (e.g., 'e=Access&', 'y=Guest&', etc.), indicative of a potential unauthorized remote access attempt. The rule is particularly relevant for Windows environments due to the nature of ScreenConnect being a remote access tool. Given its legitimate usage in administrative contexts, false positives may occur, thus necessitating review for incidents flagged by this detection. The rule is authored by Florian Roth at Nextron Systems and was last modified in February 2024, keeping it up to date with the evolving threat landscape.