This detection rule identifies the execution of `query.exe` with specific command-line arguments that imply attempts to discover data on remote devices. This analytic leverages telemetry from Endpoint Detection and Response (EDR) solutions, focusing primarily on process names and their command-line arguments. The detection is pertinent as malicious actors can employ `query.exe` to gain insights into the network environment, including Active Directory details on compromised endpoints. If this behavior is confirmed as malicious, it can enable attackers to gather crucial information that supports lateral movement and privilege escalation within an organization’s network.