This detection rule targets the exploitation of CVE-2023-21554, also known as QueueJumper, which allows unauthorized remote code execution via a weakness in the Windows service process 'mqsvc.exe'. The vulnerability can be triggered when an attacker gains access to TCP port 1801. The rule is implemented in a Splunk environment and utilizes data collected from Windows Sysmon logs to identify relevant events. It leverages EventCode 3, which corresponds to network connection events. The logic captures the flow of data around the specified TCP port and the relevant service process, providing insights into potentially malicious activities on the network. The resulting table includes essential event attributes such as time, host, user, process details, and source and destination IP addresses. Overall, this rule is crucial for detecting lateral movement techniques associated with the exploitation of remote services in organizational networks.