This detection rule identifies suspicious use of Powershell commands related to the `Win32_PnPEntity` class, which is utilized to enumerate attached peripheral devices and components within a Windows environment. Adversaries can exploit this functionality to collect sensitive information about system hardware, potentially aiding in further attack planning. The rule is designed to trigger when a Powershell script contains the string 'Win32_PnPEntity', indicating that the script is querying for details about connected devices. The execution of such queries can be an indication of reconnaissance behavior, which may precede malicious actions. This rule requires that Windows Script Block Logging is enabled for effective detection. While it may generate false positives when legitimate administrative scripts invoke similar queries, the relevance of the detection is primarily tied to its deployment in atypical contexts, possibly by unauthorized actors accessing system information during a breach or reconnaissance operation.