HackTool - KrbRelayUp Execution

Action1: actionname = "Process started" AND (PROCESSNAME endswith "\KrbRelayUp.exe" OR ORIGINALFILENAME = "KrbRelayUp.exe") OR (COMMANDLINE contains " relay " AND COMMANDLINE contains " -Domain " AND COMMANDLINE contains " -ComputerName ") OR (COMMANDLINE contains " krbscm " AND COMMANDLINE contains " -sc ") OR (COMMANDLINE contains " spawn " AND COMMANDLINE contains " -d " AND COMMANDLINE contains " -cn " AND COMMANDLINE contains " -cp ") select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME,Action1.DOMAIN,Action1.ORIGINALFILENAME,Action1.PARENTPROCESSID,Action1.PROCESSID,Action1.PRODUCT_NAME,Action1.SECURITYID