APT3 Multi-Stage CMD Reconnaissance Chain Detection

Detects sequences of reconnaissance commands executed via cmd.exe consistent with APT3 operator TTPs — chains of whoami, net user/group, nltest, ipconfig, and systeminfo from the same user on the same host, indicative of hands-on-keyboard activity post-compromise