This detection rule targets potential post-exploitation activities by malicious actors utilizing PowerShell, specifically focusing on the use of scripts like ADRecon. ADRecon is known for gathering Active Directory information and may leverage the PowerShell environment to compile and execute its payloads. In this scenario, the detection focuses on the behaviors of PowerShell invoking child processes such as csc.exe (C# compiler) and cvtres.exe (used for resource compilation). These processes are monitored when they are launched by PowerShell or pwsh (PowerShell Core) and access .cmdline files located in the AppData\Local\Temp directory. The rule tracks these activities within a five-minute timeframe to potentially identify malicious post-exploitation behavior, regardless of the script's title or cmdlets used. The underlying logic queries for relevant process events in EDR logs, specifically looking for indicators that suggest the execution of reconnaissance scripts within a Windows environment.