APT3 Interactive CMD Shell Reconnaissance Chain Detection

Detects chained execution of native Windows reconnaissance tools through cmd.exe by the same user on the same host, characteristic pattern of APT3 executing remote discovery commands via Windows Command Shell. Triggers when 3 or more tools are executed in the same user session.