This detection rule is designed to monitor for the execution of CrackMapExec, a popular post-exploitation tool often utilized in cyber-attacks targeting Windows environments. Given its frequent use in penetration testing and malicious activity, identifying its invocation is crucial for security monitoring. The rule focuses on detecting specific patterns in the command line arguments typically associated with CrackMapExec, even if the binary file itself has been modified or replaced. This is achieved by examining command line inputs for various options and parameters indicative of CrackMapExec's operations, such as `--local-auth`, `-u`, `-p`, and others. The rule encompasses multiple modules utilized within CrackMapExec, which communicate over SMB protocols, and it alerts on all significant command line patterns that indicate the potential malicious use of this tool. Additionally, the high level of this rule underscores its importance in identifying potentially harmful activity on Windows systems.