This detection rule identifies the use of Rubeus, a tool commonly leveraged for post-exploitation activities in Windows environments, specifically through the registration of a new trusted logon process. The detection focuses on Event ID 4611, which corresponds to the registering of a new logon process in the Windows Security log. The rule is triggered when the `LogonProcessName` is identified as `User32LogonProcess`. The presence of registered logon processes that fit this criterion, especially in conjunction with known indicators of compromise, may suggest attempts at lateral movement, privilege escalation, or credential access by an attacker. The detection aims to enhance the security posture by providing alerts to potential malicious activity related to Rubeus, enabling timely investigation and response.