APT3 Multi-Stage Windows Command Shell Reconnaissance Chain

Detects hosts where cmd.exe or PowerShell execute 3 or more inline reconnaissance commands (whoami, hostname, net, systeminfo, nltest) within a session. A high-fidelity hands-on-keyboard indicator attributed to APT3 and similar threat actors documented in CrowdStrike Falcon IR investigations.