This detection rule identifies potentially malicious use of Windows discovery-related API functions by PowerShell scripts. Attackers may utilize these functions for reconnaissance activities including user enumeration, session checks, domain trust evaluation, and obtaining information on local and network shares. The rule accomplishes this by querying specific API function calls common in such exploits while excluding legitimate usage patterns recognizable through established script characteristics. Additionally, the rule includes comprehensive guidelines for threat investigation, outlining procedures for verifying script content, analyzing execution chains, examining associated alerts, and mitigating potential incidents. This tool aids in enhancing security measures by recognizing unauthorized discovery actions while providing a framework for appropriate response actions if such activities are flagged.