This detection rule identifies the execution of network scanning utilities such as Advanced IP Scanner or Advanced Port Scanner, which can be exploited by attackers during the reconnaissance phase to find active hosts and open ports within a target network. The detection is primarily based on telemetry from process creation events, looking for known executable names, original file names, and specific command-line parameters that belong to these utilities. It flags processes that utilize certain command-line switches like '/portable' and '/lng' that are common in their operations. When such behavior is observed, it can indicate a potential security incident, particularly if it leads to other malicious actions like lateral movements or further exploitation. To ensure the rule’s effectiveness, it is necessary to correlate the findings with proper context to mitigate false positives, especially when legitimate administrative actions occur.