This detection rule aims to identify attempts by adversaries to discover network connections on Windows systems. It utilizes recent event data from the CrowdStrike EDR, specifically targeting process events that indicate the use of tools and commands associated with network reconnaissance. The rule checks for specific commands, such as 'netstat', 'net use', 'net sessions', and PowerShell's 'Get-TCPConnection', which are commonly utilized by attackers to enumerate active network connections. The logic implemented in the Snowflake query captures relevant data by filtering for events that occurred within the last two hours, focusing on processes executing the aforementioned commands. Threat actors such as Alloy Taurus (also known as Gallium) and Volt Typhoon have been noted for leveraging these techniques for initial reconnaissance during attacks, thereby highlighting the importance of monitoring these actions. The detection is built on established atomic tests from the Atomic Red Team project, providing a standard method for validating the efficacy of this rule.