This detection rule targets the execution of Sysinternals PsTools, which are commonly used for reconnaissance and information gathering on Windows endpoints. PsTools, including utilities such as PsExec, PsInfo, PsPing, and others, can be leveraged for legitimate administrative tasks as well as by threat actors to gather critical system, account, network, and service information during discovery phases and lateral movement. The rule monitors process executions and examines PE metadata to identify potential malicious activities related to these tools. If detected, such activities could indicate targeted reconnaissance or attempts at foothold escalation, which may facilitate subsequent lateral movement or credential abuse. The detection uses telemetry data from Sysmon Event ID 1 and Windows Event Log Security Event ID 4688, and the implementation requires proper configuration of EDR agent logs to ensure that all necessary process information is captured and correctly processed for analysis.