```yaml title: Clustered Endpoint Enumeration id: edr-win-disc-clustered-enum status: stable description: > Correlation rule flagging discovery commands from cmd.exe or PowerShell spawning systeminfo.exe, whoami.exe, ipconfig.exe, nltest.exe, or net.exe with domain enumeration arguments. Requires 2+ matches within a 10-minute window on the same host to reduce noise from single-command admin usage. Catches the burst-style recon pattern of hands-on-keyboard operators. references: - https://attack.mitre.org/tactics/TA0007/ author: ShroudCloud date: 2026/04/16 tags: - attack.discovery - attack.t1018 - attack.t1069 - attack.t1087.002 - attack.t1482 logsource: category: process_creation product: windows detection: selection_discovery_1: ParentImage|endswith: - '\cmd.exe' - '\powershell.exe' - '\powershell_ise.exe' Image|endswith: - '\systeminfo.exe' - '\whoami.exe' selection_discovery_2: ParentImage|endswith: - '\cmd.exe' - '\powershell.exe' - '\powershell_ise.exe' Image|contains: '\ipconfig' CommandLine|contains: '/all' selection_discovery_3: ParentImage|endswith: - '\cmd.exe' - '\powershell.exe' Image|endswith: - '\nltest.exe' - '\net.exe' CommandLine|contains: - 'view /all' - 'config workstation' - 'get displayname' - 'domain_trusts' - 'domain computers' - 'domain admins' filter_exclusions: CommandLine|contains: - 'Nexthink' ParentImage|endswith: - '\nxtcod.exe' - '\taskeng.exe' - '\runonce.exe' condition: ((selection_discovery_1 or selection_discovery_2 or selection_discovery_3) and not filter_exclusions) | count() by ComputerName > 1 within 10m falsepositives: - Legitimate administrative diagnostics or system inventory scripts (baseline by parent script context) level: medium ```