This analytic rule detects the usage of command line parameters associated with Rubeus, a tool designed for Kerberos attacks in Active Directory environments. By leveraging data from Windows Event Log (Security 4688), Sysmon EventID 1, and CrowdStrike ProcessRollup2, it identifies suspicious command-line arguments reflecting malicious Kerberos ticket manipulation, kerberoasting, and password spraying. These activities are significant as they indicate potential privilege escalation and lateral movement within the network, heightening the risk of unauthorized access and data compromise. A timely detection of such activities is critical for incident response teams to mitigate potential breaches.