This detection rule monitors Windows file creation events that match specific filename patterns indicative of Impacket tooling activity. Impacket is a collection of Python classes for handling network protocols, commonly used by attackers for credential access (referenced under attack techniques such as T1003.001). The rule inspects filenames that follow a regex pattern matching 'sessionresume_' followed by eight alphanumeric characters, which has been associated with malicious activities. As this rule is experimental, it may require fine-tuning to reduce false positives and improve accuracy. Proper testing in a controlled environment is recommended before deploying it in production systems.