This detection rule identifies when adversaries perform file and directory discovery on Windows systems, particularly when the enumeration output is directed to a file. Such behavior typically indicates that an adversary is gathering information about the file system structure and specific files, potentially to facilitate further malicious activity. The logic employs a query on EDR logs to capture processes for directory listing commands (like tree, dir, get-childitem, etc.) that are followed by redirection to output files (e.g., using Out-File in PowerShell or redirecting output using >). This aligns with the technique ID T1083, which specifically covers file and directory discovery. Adversaries associated with this type of behavior include APT28, known for their reconnaissance and intelligence-gathering operations. The logic is designed to filter events from the last two hours indicating suspicious command executions that conform to the detection criteria.