This detection rule identifies the execution of unauthorized remote access tools, specifically SimpleHelp and related variants, by analyzing process creation events in the Windows operating environment. Remote Access Tools (RATs) such as SimpleHelp can be exploited by threat actors for maintaining persistent access to compromised systems, often masquerading as legitimate IT support applications. The detection relies on the flexibility of the Splunk platform and leverages Sysmon data to pinpoint process creation events that include specific keywords and patterns associated with the SimpleHelp tools. The logic filters down to executable names tailored to confirm the activity of potential remote access attacks, aiming to provide security teams with actionable insights into suspicious behavior that may indicate a compromised endpoint. Through careful monitoring of these process events, defenders can better position themselves to respond to and thwart potential intrusions.