This detection rule identifies the execution of tools commonly used by cybercriminals, specifically those utilized for various forms of unauthorized access, network reconnaissance, or data exfiltration. It leverages telemetry data collected from Endpoint Detection and Response (EDR) solutions, focusing on known attacker tool names categorized in the `attacker_tools` lookup table. The detection considers significant indicators from process activity data, enabling early identification of potential security breaches. By analyzing specific Sysmon events and Windows Event Log entries regarding process creation, the rule can highlight suspicious activities before they escalate into severe threats such as data theft or extended network compromise. Proper implementation requires integration with EDR data sources and adherence to the Splunk Common Information Model for optimal field normalization and efficiency.