This detection rule identifies potential misuse of Nmap or Zenmap, network scanning tools commonly employed by malicious actors to probe and enumerate services available on remote hosts. The capability to scan networks for open ports can expose vulnerabilities in services that may be exploited for unauthorized access or attacks. This rule will trigger alerts whenever a process creation event is logged that indicates either of these tools has been executed, allowing for rapid identification of potential reconnaissance efforts by adversaries. The focus is on monitoring Windows systems, as both tools are native to that environment. The rule includes checks for specific executable file paths that signify the execution of Nmap or Zenmap. Given that legitimate administrative tasks might also invoke these tools, administrators must assess context to mitigate false positives effectively.