This rule is designed to detect common reconnaissance commands utilized by threat actors following initial access to a machine. The rule is implemented in Splunk and leverages Windows Sysmon event data to capture potential command line activities indicative of reconnaissance behavior. This includes monitoring for specific command-line executables such as 'whoami.exe', 'systeminfo.exe', 'ipconfig.exe', and others commonly used to gather system information or network details. It filters these events based on their parent process names, specifically targeting instances spawned by command shell (cmd.exe) or PowerShell (powershell.exe). The detections are further refined by checking for the execution of a predefined set of reconnaissance commands. The rule outputs details such as the execution time, host, user, and process information to allow security teams to identify suspicious activity and correlate it with potential threat actor techniques. The rule is informed by various threat actor and software associations, which indicate its relevance to real-world attack scenarios.