This detection rule monitors the execution of the Windows built-in command-line tool FSUTIL, specifically looking for the execution where the FSINFO parameter is specified. FSUTIL can provide detailed file system information, which adversaries may use for reconnaissance, aiding in further exploitation techniques such as privilege escalation and persistence. The rule leverages data collected from Endpoint Detection and Response (EDR) solutions by analyzing process execution logs that include command-line details. By focusing on Sysmon EventID 1 and Windows Event Log Security 4688, this detection captures instances of FSUTIL being invoked, helping to identify potentially malicious behavior related to information discovery on Windows systems.