This detection rule identifies the execution of the PurpleSharp adversary simulation tool, commonly used for testing Red Team tactics and techniques in Windows environments. The rule focuses on monitoring process creation events to spot when instances of PurpleSharp are initiated, either directly via its executable or through command-line arguments. It captures specific indicators such as the presence of 'PurpleSharp.exe' in the file path or related command-line inputs. Due to the nature of PurpleSharp, which simulates various attack techniques, this rule is classified at a critical level, making it essential for cybersecurity operations to promptly detect possible misuse in a production environment. The rule is designed to minimize false positives, with low likelihoods of benign process overlaps, ensuring it primarily triggers on potentially malicious activity related to adversarial simulations. Overall, implementing this rule enhances visibility against non-standard tool execution associated with threat simulation and testing, pivotal for maintaining robust security posture against potential real-world attacks.