APT Network Discovery Sequence — 5 or More Tools Within 30-Minute Window

Identifies hosts running 5 or more distinct network reconnaissance binaries (ping, nslookup, nltest, arp, route, netstat, ipconfig, tracert) within a 30-minute window. This multi-tool burst pattern is a high-fidelity indicator of hands-on-keyboard APT operators performing internal network mapping after initial compromise, consistent with APT TTPs analyzed in Azeria Labs and CrowdStrike threat intelligence reporting.