This rule, authored by Elastic, aims to detect the execution of the Windows file system utility `fsutil.exe` with the `fsinfo` command, specifically looking for calls that enumerate attached drives. Such enumerations often occur in post-compromise scenarios where attackers seek to gather intelligence about available resources, including secondary drives that may contain sensitive data. The detection query utilizes EQL (Event Query Language) to identify processes initiating with `fsutil.exe` while filtering results based on specific command arguments. If `fsutil` is invoked to check for drives attached to the computer, it may indicate potential malicious activity. Analysts are encouraged to investigate the process execution hierarchy and the user context to determine whether the actions were appropriate or indicative of suspicious behavior. Possible investigation steps include checking for anomalies in the account behavior or correlating alerts over a short timeframe. While this detection can yield false positives due to benign discovery operations, the rule’s low severity rating suggests monitoring rather than immediate escalation. Mitigation steps should involve steps to analyze compromised hosts, review incident response protocols, and enhance security policies based on findings.