This detection rule identifies commands used to query the system's time on Windows machines, specifically targeting processes that can reveal information about the system's time and time zone. Such queries are often preliminary steps for attackers planning to execute scheduled tasks or to gather intelligence on a target system's time configuration. The rule looks for common system utilities—specifically 'net.exe' and 'w32tm.exe'—to check for command-line invocations that suggest an inquiry into the system time (e.g., 'time' or 'tz'? commands). If any of these commands are executed as part of the process creation on the system, the rule will trigger, helping analysts identify potential reconnaissance activities. Due to its low impact level, occurrences of legitimate administrative use may also appear in the logs, hence specified as false positives.