The detection rule focuses on identifying the execution of a PowerShell script known as SMBExec.ps1, which is associated with the execution of commands using NTLMv2 pass-the-hash authentication. This script enables attackers to execute commands remotely over SMB (Server Message Block) by bypassing traditional authentication methods. The rule uses Splunk logic to capture events generated by the PowerShell execution, looking for specific indicators such as authentication success or failure messages, as well as the invocation of known libraries and functions related to TCP connections and MD5 hashing. The detection criteria are based on EventCode 4103, which corresponds to PowerShell script executions. More specifically, it checks for certain strings and patterns in the process execution that are characteristic of SMBExec behavior. The attack vector leveraged here typically facilitates lateral movement within networks, allowing attackers to exploit vulnerabilities in remote services. Associations with the threat actor group FIN12 suggest that this rule has relevance in the context of targeted advanced persistent threat (APT) campaigns that utilize similar techniques.