This detection rule identifies the execution of the dnscmd.exe process with specific command-line arguments indicative of DNS enumeration activities. The dnscmd.exe utility is a Windows command-line tool used for managing DNS servers, and it can be leveraged by malicious actors to retrieve sensitive information about DNS zones. The rule activates on processes that end with dnscmd.exe and checks for indicators in the command line such as '/enumrecords', '/enumzones', '/ZonePrint', or '/info'. Triggering this rule suggests that a user or service is attempting to enumerate DNS records or zones, which is a common reconnaissance tactic in the attack lifecycle, particularly under the MITRE ATT&CK framework categorization as discovery (T1046) and execution (T1543.003). As such, while legitimate administrative usage of dnscmd.exe can lead to false positives, careful monitoring is necessary to differentiate between benign administrative actions and potentially harmful reconnaissance. Appropriate responses to such detections would include displaying alerts for security teams to further investigate the context surrounding the usage of dnscmd.exe above typical administrative baseline activity.