This detection rule identifies instances of the AdFind tool executing on Windows systems. AdFind is commonly utilized by threat actors for gathering information from Active Directory, making it a valuable tool in the reconnaissance phase of cyberattacks. The rule specifically queries the `crowdstrikefdr_process` database for any process execution events related to AdFind in the past two hours. The use of this tool is associated with several threat actor groups and ransomware families, indicating its significance in targeted attacks. The context includes APT groups such as APT29 (Cozy Bear) and APT31, among others, and various ransomware tools like BlackMatter and Conti. This rule is part of a broader effort to detect and mitigate advanced persistent threats (APTs) that exploit Active Directory for lateral movement and credential harvesting, with links to established MITRE ATT&CK techniques associated with system and account discovery.