The rule detects coerced authentication attempts using the PetitPotam technique, which enables exploitation of the EFS RPC interface for achieving NTLM authentication. This detection focuses on monitoring Windows security logs for specific conditions indicating a coerced authentication attempt, particularly looking for events where a resource is accessed anonymously via the IPC$ share. The rule is configured to trigger when Event ID 5145 is logged, indicating a file share access attempt that meets certain criteria, such as starting with '\\' (indicating a network path) and ending with '\IPC$'. The presence of the 'lsarpc' reference in the RelativeTargetName field and the 'ANONYMOUS LOGON' as the SubjectUserName are key indicators of a potential PetitPotam activity.