This detection rule identifies the execution of Bloodhound and Sharphound tools commonly used for Active Directory enumeration and reconnaissance during attacks. It monitors Windows process creation events, focusing on specific command-line parameters associated with these tools, which include both SharpHound and BloodHound executables. The rule leverages the command-line arguments associated with these tools that indicate attempt to gather sensitive information concerning user sessions, rights, and group memberships within a Windows domain. Potential benign programs using similar command-line arguments might trigger false positives; hence, the rule implements a flexible condition allowing detection with different sets of selections. This enables the detection of both tool launches via process execution metadata and interactive sessions where certain command-line patterns are evidenced, making it comprehensive yet discerning.