The Adfind Commands detection rule focuses on identifying the misuse of the AdFind command-line query tool often employed by threat actors for information gathering from Active Directory environments. Adversaries may rename Adfind to evade detection; therefore, this rule specifically checks for common Adfind commands executed on Windows platforms. The SQL query is designed to sift through EDR logs from the Crowdstrike data source, pinpointing recent process executions that align with the recognizable patterns of Adfind commands, primarily those related to object categories and membership lists. Through recognizing these patterns, the rule aids in detecting potential reconnaissance activities by known threat actor groups such as APT29, BlackMatter, and more. The rule utilizes functionalities inherent in the Snowflake logic format to retrieve pertinent data within a specified timeframe, enhancing the incident response capabilities of security teams.