The rule 'Enumerating Domain Trusts via DSQUERY.EXE' identifies the use of the dsquery.exe command-line utility in Windows environments to discover domain trust relationships. Attackers often utilize this utility to enumerate trust configurations within a multi-domain Active Directory setup as part of their lateral movement strategies. The detection is focused on analyzing process execution events for instances where dsquery.exe is executed with arguments related to `objectClass=trustedDomain`. A risk score of 21 categorizes this rule under low severity, indicating that while it might signify a potential threat, numerous legitimate uses by domain administrators exist. Analysts are advised to thoroughly investigate the processes leading to the execution of dsquery.exe, including the user account involved, previous alerts related to that user or host, and the context of the command's execution to determine if further action is required. The rule includes potential false positive considerations, stressing that authorized administrative activities may trigger this detection. Related rules for further analysis have also been noted, reinforcing the interconnected nature of Active Directory trust-related behaviors.