This detection rule identifies reconnaissance activities conducted on a Windows system using command-line utilities. The focus is on the creation of processes associated with specific utilities that are commonly used for data collection by attackers. Key processes being monitored include 'tree.com', 'WMIC.exe', 'doskey.exe', and 'sc.exe'. The rule captures instances where the command line arguments suggest redirecting output to temporary files, indicating an attempt to gather internal information quietly. By monitoring these activities, the rule aims to detect potential adversarial behavior that may indicate the early stages of a compromise or data exfiltration plan.