This detection rule identifies potential reconnaissance activity related to permission misconfigurations on Windows systems. It specifically targets commands executed using 'findstr.exe' or 'find.exe' alongside the keywords 'EVERYONE' or 'BUILTIN', as these terms indicate the potential examination of files or directories by attackers to identify weaknesses in access controls. The correlation of 'findstr' with 'icacls' suggests a method employed by adversaries to facilitate privilege escalation by identifying improperly configured permissions that could be exploited. The detection logic captures instances of these commands' execution, and it triggers an alert if the defined conditions are met, enabling security teams to investigate and respond to potential threats. Overall, this rule serves as a proactive measure in identifying misuse of utilities commonly used in Windows for permissions enumeration and management.