This detection rule is designed to identify unauthorized or suspicious authentication attempts by the Metasploit framework on Windows hosts within a domain environment. Specifically, it looks for logon events where the authentication package used is NTLM, which is often used in common lateral movement techniques by attackers exploiting vulnerabilities. It checks for failed logon attempts (EventID 4625) and successful logon attempts (EventID 4624) with a LogonType of 3, indicating network logons. The rule also examines EventID 4776 for specific workstation patterns that match 16-character alphanumeric strings, which aligns with typical Metasploit hostnames. Its condition stipulates that at least one of the defined selections must match to trigger an alert, effectively minimizing false positives while ensuring robust detection of potential threats related to Metasploit usage in the environment.