This rule detects the potential execution of various Active Directory (AD) commands on Windows hosts by monitoring process activity through the CrowdStrike EDR logs. It specifically looks for the execution of known AD command-line tools such as 'csvde.exe', 'dsacls.exe', 'dcpromo.exe', 'dcdiag.exe', 'dsamain.exe', 'dsmgmt.exe', 'ldifde.exe', 'ldp.exe', 'netdom.exe', 'nltest.exe', 'setspn.exe', and commands associated with querying user group memberships like 'whoami' and domain queries like 'dsquery'. Given the nature of these commands, their usage can indicate on-going reconnaissance activities or lateral movement by threat actors, particularly those targeting Active Directory environments. The rule utilizes Snowflake query logic to filter event data based on specified conditions. It also has associations with multiple advanced persistent threat (APT) groups and cybercriminal organizations known for their targeting of enterprise environments, particularly in relation to Active Directory.