The rule "Active Directory Discovery using AdExplorer" is designed to detect the use of the ADExplorer utility, an advanced viewer and editor for Microsoft Active Directory that can save snapshots of the AD database for offline comparisons. Since adversaries may exploit this tool for domain reconnaissance activities, its detection is crucial. The rule employs EQL (Event Query Language) to search for the execution of the ADExplorer executable on Windows systems. Given the legitimate use of ADExplorer by system administrators, the rule is prone to false positives; hence, careful investigation is recommended to differentiate genuine administrative activity from potential abuse. Suggested investigation steps include identifying the user initiating the action, inspecting the file created by ADExplorer, and reviewing related alerts from the past 48 hours. The recommended response involves initiating an incident response, isolating affected hosts, and conducting a full antimalware scan. The rule aligns with several MITRE ATT&CK techniques associated with discovery tactics, ensuring comprehensive monitoring of potential reconnaissance efforts in a Windows environment.