This detection rule identifies the execution of the PowerTool utility, a known hacking tool that can perform various malicious actions, including killing processes, deleting process files, unloading drivers, and removing driver files. First documented in connection with ransomware attacks, it has been observed in various incident reports, making it crucial to monitor its execution closely to prevent further exploitation. The rule specifically targets instances where the executables 'PowerTool.exe' or 'PowerTool64.exe' are invoked, along with checks on the original file name to enhance detection accuracy. Given its capabilities and association with defenses evasion tactics, effectively monitoring for this tool can significantly contribute to enhancing endpoint security and protecting against sophisticated attack vectors.