This detection rule is designed to identify suspicious executions of the AdFind tool on Windows systems. AdFind is often utilized by attackers for reconnaissance purposes, particularly to enumerate Active Directory (AD) entities. The rule looks specifically for command-line arguments that are frequently associated with malicious activity. The key indicators within the command-line arguments include typical flags such as 'domainlist', 'adinfo', 'dcmodes', and others which, when observed, suggest potential unauthorized activity or misuse of administrative tools. As organizations increasingly rely on Active Directory for identity management, tools like AdFind can present significant risks when used without proper oversight. Thus, monitoring its execution becomes crucial to identifying attempted reconnaissance by threat actors and preventing escalation to more severe attacks.