This rule is designed to detect the execution of the hack tool SafetyKatz on Windows operating systems. SafetyKatz is a credential dumping tool that can be used by attackers to extract passwords from memory. The detection mechanism leverages specific properties of the executable file, such as its name and metadata attributes. The rule checks for processes that end with the image name 'SafetyKatz.exe', have 'SafetyKatz.exe' as the Original File Name, or carry the description 'SafetyKatz'. If any of these conditions are met, alerting is triggered due to its association with credential access attacks. It's important to note that the potential for false positives is considered low in this case. Monitoring for such tools is essential as they provide adversaries the means to capture sensitive authentication information, enabling unauthorized access to secure resources.