This detection rule identifies the execution of a renamed version of 'AdFind.exe', a tool known for its use in reconnaissance during cyberattacks, particularly for domain trust discovery. Attackers leverage this tool to enumerate Active Directory properties and relationships, aiding in the planning of subsequent exploitation moves. The combination of various command-line options used with the tool can indicate its application in unauthorized activities. The rule uses multiple criteria for detection, including specific command-line arguments and original file name checks, as well as file hashes associated with known AdFind executables. By setting a high alert level, it underscores the significance of detecting this functionality, given its association with advanced persistent threat actors, particularly in the context of post-exploitation. AdFind's presence in numerous breaches highlights its critical role in the attacker’s toolkit, necessitating robust detection strategies.