This detection rule identifies potential misuse of the PsLogList utility, which is part of the Sysinternals suite. PsLogList can dump event logs including security logs, application logs, and system logs. Malicious actors may use this tool to extract administrator accounts during reconnaissance (account discovery) and potentially erase tracks by deleting event log entries. The rule activates on detecting specific command line parameters that indicate the intention of extracting log data. A combination of file name checks, command line analysis, and specific flags associated with PsLogList helps ascertain whether the command execution is legitimate or suspicious. False positives may arise from other legitimate administrative use cases of PsLogList or other applications that utilize similar command line arguments. Adjustments to the rule may be necessary to reduce noise from these legitimate use scenarios.