This rule aims to detect the execution of masscan, a high-speed network port scanning tool that is commonly utilized by threat actors for scanning large ranges of IP addresses in search of open ports and potential vulnerabilities. The detection logic is geared towards identifying specific event codes associated with PowerShell execution (4103 and 4104) in Windows systems, leveraging Splunk queries to parse endpoint data. The logic combines filtering terms related to the masscan executable to produce a concise overview of execution events, capturing timestamps, hostnames, user accounts, and process details for analysis. By monitoring these events, organizations can effectively identify unauthorized or suspicious masscan activity that could signify malicious intent, thereby enhancing their security posture against network reconnaissance techniques prevalent in cyber-attacks.