This detection rule identifies the execution of the Windows command-line tool `nltest.exe` with the parameters `/dclist:` or `/dsgetdc:`. These command-line arguments are utilized to enumerate domain controllers within an Active Directory environment. The rule extracts data from various sources, notably Sysmon and the Windows Event Log, specifically Event ID 4688, to monitor process execution and command-line arguments. This behavior is critical as it is commonly exploited by adversaries and Red Teams for reconnaissance, allowing them to map out domain controllers for further attacks like privilege escalation or lateral movement attacks. Effective implementation requires ingesting logs that detail process execution, command-line arguments, and any parent processes involved. The rule highlights potential false positives arising from legitimate administrative troubleshooting activities. Comprehensive documentation and references, including links to the MITRE ATT&CK framework (Technique T1018), provide additional context for understanding the implications of this detection.