The rule detects the execution of various attack tools commonly used for Server Message Block (SMB) relay attacks on Windows systems. These tools are often employed by attackers to achieve privilege escalation on compromised accounts. The detection logic is based on identifying specific filenames or command line arguments associated with these tools. The rule classifies a match when any of the designated filenames (e.g., PetitPotam, RottenPotato, HotPotato) are found in the process creation events, along with specific command-line patterns suggesting malicious intent, while excluding benign applications that might coincide with these names. The overarching aim of the rule is to enhance endpoint security by flagging potentially malicious activity linked to SMB relay exploits, which could lead to unauthorized elevation of privileges in an Active Directory environment. Given the significance of such attacks, this detection is critical for maintaining the integrity of sensitive Windows environments.