This detection rule is designed to identify potential threats associated with the exploitation of the EternalBlue vulnerability through the Metasploit Framework. Adversaries may utilize valid credentials to access remote network shares via the Server Message Block (SMB) protocol. The rule specifically monitors authentication attempts to SMB shares that could be associated with the EternalBlue exploit. The underlying logic captures Windows event logs indicating failed (`EventCode=4625`) or successful (`EventCode=4624`) logon attempts using the NTLM authentication package, specifically for remote logins (LogonType=3). Additionally, it includes logon failure events related to NTLM for validation. The detection utilizes regex to filter hostnames that comply with a specific naming convention (16-character alphanumeric), which helps in reducing false positives associated with typical workstation naming practices. The rule also provides a succinct overview of key fields, including timestamps, hosts, users, and source/destination details, tailoring the output for forensic analysis.