The 'User_Domain Enumeration Tool - Windows' detection rule is designed to identify attempts by adversaries to enumerate domain accounts within a Windows environment. This enumeration typically helps attackers gauge which accounts exist, thus facilitating further malicious actions like phishing or lateral movement. The detection logic specifically focuses on the execution of process commands related to Active Directory searches, utilizing tools such as ADSISearcher or ADFind. The rule executes a query against the CrowdStrike EDR logs, looking for processes that run within the last two hours and include keywords associated with domain enumeration. The presence of these keywords in the process command indicates that a user or domain enumeration attempt is likely in progress. The rule is associated with the techniques T1087.002 and T1136.002 from the MITRE ATT&CK framework.