This analytic rule detects the execution of the NetExec tool, also known as CrackmapExec, which is commonly utilized for post-exploitation activities in Active Directory environments. It identifies specific command-line arguments and execution patterns that suggest malicious behavior, particularly actions such as Kerberos ticket manipulation, kerberoasting, and password spraying. NetExec is associated with privilege escalation and lateral movement within an organization, making its detection critical for preventing unauthorized access and protecting sensitive information. The detection leverages Endpoint Detection and Response (EDR) data, focusing on event IDs and process listings that indicate the use of NetExec-related commands. By monitoring command-line parameters and preventing misuse, this rule aims to mitigate risks associated with advanced persistent threats targeting Active Directory.