The rule 'HackTool - ADCSPwn Execution' is designed to detect the execution of commands that utilize ADCSPwn, a Microsoft Active Directory (AD) attack tool used for privilege escalation through the exploitation of credential relaying against the AD certificate services. ADCSPwn operates by coercing machine accounts to authenticate and relay those authentication attempts to gain higher privileges within an AD environment. The detection is based on monitoring command line arguments for specific flags (' --adcs ' and ' --port ') that signal the use of this tool. The rule is categorized under process creation events on Windows systems, indicating that it will trigger upon the identification of any processes executing commands that include the defined parameters. Given the high level of risk associated with unauthorized privilege escalation in an enterprise network, it is essential for security teams to be aware of any instances of ADCSPwn usage, even in testing or legitimate scenarios.