This detection rule identifies suspicious logon attempts where processes are initiated with explicit credentials in a Windows environment. The rule monitors security event logs for Event ID 4648, which indicates that a logon attempt is made specifying explicit credential details. It focuses on commonly used command line utilities that can be exploited to launch processes using credentials, such as cmd.exe, powershell.exe, and others. The detection criteria is set to exclude logs from local system accounts through the use of specific filters, while also checking for instances where the logon target and subject usernames contain a trailing dollar sign, which designates machine accounts rather than human users. The effectiveness of this rule is essential for identifying potential lateral movement by attackers impersonating legitimate accounts on the network.