This detection rule identifies the execution of Hashcat, a well-known password cracking tool, on Windows systems. Specifically, it monitors for process creation events that involve running `hashcat.exe` with command line arguments indicative of password cracking activities against a provided SAM file and a password list. The rule leverages specific criteria in the command line arguments to filter for potentially malicious usage, focusing on flags typical of password cracking operations, such as defining attack modes and hash types. The rule is designed to provide high confidence alerts when these conditions are met while also considering known false positives from legitimate tools that may use similar command line patterns.