Internal reconnaissance is the adversarial mechanism of obtaining information about an infiltrated system or network. A common method used by the adversary to acquire this information is through the execution command-line utilities. Presently, only rule-based techniques have been operationalized to directly detect this internal reconnaissance behavior. There is significant overlap between the commands entered by adversaries for this task and commands frequently issued by typical users for legitimate tasks. Deterministic detection approaches have difficulties distinguishing between internal reconnaissance and legitimate command-line behavior that fall in this overlap, resulting in high false positives rates. To more effectively distinguish the internal reconnaissance a behavior, stochastic techniques can be employed. This paper proposes a machine learning approach to detect internal reconnaissance through binary classification of command collections. It considers two learning methods namely latent Dirichlet allocation (LDA) and long short-term memory (LSTM) and shows that both outperforms state of the art methods.