This detection rule identifies potentially malicious activity related to the execution of 'msdtc.exe' with specific command-line parameters (-a or -b), which are known to be utilized by PlugX malware for masquerading attacks. The detection leverages telemetry from Endpoint Detection and Response (EDR) agents, combined with event logs such as Sysmon and Windows Event Log security, to monitor for unusual process behavior. Given that PlugX can use legitimate processes to obfuscate its activities, detecting this behavior is crucial for uncovering unauthorized access attempts, data exfiltration, and espionage activities that may severely compromise the integrity of Windows systems. The implementation requires that all necessary logs be ingested and processed appropriately through Splunk, ensuring mapping to the Endpoint data model is correctly configured to enhance search capabilities.