This detection rule identifies the execution of PktMon.EXE, a process commonly associated with capturing network traffic and packets on Windows systems. The rule is particularly significant as PktMon can be utilized for both legitimate network diagnostics and malicious activities, making its execution a potential indicator of compromise. The detection leverages specific characteristics of the executable file, such as the file name ending with 'pktmon.exe' or having the original file name set to 'PktMon.exe'. It is categorized under process creation logs within the Windows operating system environment. The rule aims to provide alerts for unauthorized or suspicious executions of PktMon, which may indicate credential access attacks or other malicious intent. However, it acknowledges the potential for false positives due to legitimate usage by authorized personnel or applications. Therefore, analysts should review context around each instance where the rule is triggered to determine if further investigation is warranted. This rule is part of a broader threat detection strategy to monitor and mitigate risks associated with network monitoring tools that can also be exploited by malicious actors.