This detection rule identifies attempts by adversaries to enumerate an application's installed software and versions on Windows systems, typically a part of their reconnaissance phase. The attack tactic aims to gather insights about the target's software landscape, including security measures in place and identifying potential exploit paths based on known vulnerabilities. The primary logic leverages logs generated by Windows PowerShell commands and wmic (Windows Management Instrumentation Command-line) queries that are commonly used for software enumeration. The rule specifically triggers on detection events from Event IDs 4103 and 4104 that are associated with PowerShell software discovery activities, in addition to specific command patterns that suggest direct software enumeration attempts. This capability enhances security monitoring by providing visibility into unauthorized software discovery activities, helping security teams to assess potential risks and mitigate threats promptly.