This rule detects the execution of KrbRelay, a tool used for Kerberos relaying, which is often leveraged by attackers to impersonate legitimate users and gain access to system resources. The detection focuses on process creation events on Windows systems, analyzing both specific image calls and command line arguments associated with the tool. The detection logic includes multiple selections to capture various ways the tool may be invoked, including checks for the image name 'KrbRelay.exe' and command line arguments known to be utilized by KrbRelay. Any matching event signals a potential incident, with false positives considered unlikely due to the specific nature of the command line arguments being monitored. This rule is part of broader credential access techniques and aligns with the ATT&CK framework technique T1558.003, aiming to provide security teams the visibility required to respond to such events effectively.