This detection rule is designed to monitor the execution of the `ldifde.exe` utility in a Windows environment. The purpose of this command-line tool is to export or import Active Directory (AD) data. By analyzing the command-line parameters used to invoke this executable, the rule captures potential unauthorized attempts to export the AD structure, which is often a precursor to data exfiltration or reconnaissance activities typically seen during a compromise. The rule specifically looks for instances where the command contains the `-f` parameter, which indicates that export functionality is being used, while filtering out import commands indicated by the `-i` parameter. The overall detection criteria require that all defined conditions for the `ldifde.exe` execution are met while avoiding false positives tied to import operations. This approach helps mitigate risks associated with data leaks and assists in identifying potentially malicious activities involving AD data handling.