The rule detects the execution of SharpMove, a tool utilized for lateral movement and other malicious activities within a network environment. SharpMove is recognized for its capabilities such as task creation, querying the Service Control Manager (SCM), and executing VB scripts via Windows Management Instrumentation (WMI) based on specific command line parameters and its portable executable (PE) file metadata. The rule is designed to trigger alerts when processes matching SharpMove or containing specific command line arguments indicative of its functionalities are executed. It focuses on detection through process creation logs, analyzing both the image name of the executable and the command line arguments to identify potentially malicious actions associated with lateral movement tactics as outlined in ATT&CK techniques like T1021.002.