This rule detects the usage of PowerShell's Get-ChildItem command, which is often leveraged by adversaries to enumerate browser bookmarks on Windows systems. Browser bookmarks can reveal sensitive user information and organizational infrastructure details, making this a potential vector for reconnaissance. The specific detection criteria for this rule include the presence of particular parameters and options associated with the Get-ChildItem command, such as '-Recurse', '-Path', and '-Filter Bookmarks'. These parameters, when used together, indicate an attempt to recursively search for bookmark files on the system. It is essential that Script Block Logging is enabled for this detection to work effectively. The rule is currently in a test status, suggesting ongoing validation and refinement efforts.