This detection rule identifies instances of the 'esxcli' command being executed with a 'system' flag on ESXi hosts. This command is commonly used to fetch system information, which can include sensitive data about user accounts, modules, NTP configurations, and other components of the system. The rule aims to pinpoint potential reconnaissance activities by threat actors who may be attempting to understand the configuration of the ESXi environment to facilitate further attacks. The detection mechanism employs criteria based on process creation events, focusing on command line inputs that suggest information discovery, specifically monitoring for commands that involve obtaining lists or details of system components. Since legitimate administrative tasks frequently utilize the 'esxcli' command, false positives can arise, necessitating careful review of alerts generated by this rule.