This rule is designed to detect suspicious process access requests originating from known hacktool executables in a Windows environment. The detection is based on matching the process image names, either by specific endings or substrings, associated with various credential access tools often exploited in cyber-attacks. These tools, such as 'mimikatz' and 'PowerTool', are frequently utilized by attackers to access sensitive credential information within a compromised network. The rule aims to highlight attempts to access or replicate processes indicative of lateral movement and privilege escalation techniques used by threat actors. By monitoring these processes, organizations can more effectively identify and respond to potential compromise incidents arising from the utilization of known hacking tools.