The detection rule captures the execution of Rpcping.exe, a Windows tool used for Remote Procedure Call (RPC) testing. Specifically, the rule identifies instances where Rpcping.exe is run with the '-s' option, indicating that a test connection is being established with a target server. This action can lead to the transmission of NTLM authentication hashes. The rule checks for several command-line parameters associated with this tool, particularly those that attempt to use NTLM credentials, such as the presence of '-u' and 'NTLM' or the '-t' and 'ncacn_np' parameters. If these conditions are satisfied, the rule triggers an alert, indicating a potential credential theft attempt. This rule is vital for monitoring credential access attacks, particularly in environments where NTLM is still in use, and provides insights to security teams about possible manipulation or misuse of RPC protocols for unauthorized credential capture.