This detection rule is designed to identify attempts by adversaries to explore the firewall configuration on Windows systems through the use of the 'netsh.exe' command-line tool. By utilizing certain command-line arguments, such as 'show firewall' commands, attackers can enumerate firewall rules and potentially identify weaknesses or misconfigurations that could be exploited later in their operations. The rule focuses on process creation events where 'netsh.exe' is invoked with specific command-line parameters indicative of such discovery activities. The detection looks for processes that have command-line invocations containing terms that suggest the user is probing for detailed information about the firewall settings. Administrative activity is noted as a potential false positive, indicating that legitimate administrative tasks may trigger this rule if they match the defined criteria.