This detection rule identifies malicious use of Wake-on-LAN (WoL) commands associated with Ryuk ransomware on endpoints. Ryuk ransomware employs WoL to power on devices in a network that are powered off, facilitating its encryption process. The rule utilizes events from Sysmon (EventID 1), Windows Security Event Log (4688), and CrowdStrike's ProcessRollup2 to track process and command-line activities that match specific patterns related to WoL commands. If observed, this behavior indicates a potential attempt to spread the ransomware across multiple devices in a compromised environment, making immediate investigation and isolation of affected endpoints critical to prevent extensive data loss and operational disruption.