This rule detects the execution of the legitimate Active Directory query tool AdFind.exe, which, despite its legitimate uses, is often exploited by threat actors for reconnaissance in post-exploitation scenarios. Major threats leveraging this tool include malware strains associated with Trickbot, Ryuk, Maze, and FIN6. The detection method relies on querying Winlogbeat logs with specific parameters that identify the use of AdFind.exe and its common command line arguments related to Active Directory objects. If detected, investigations around the user account and the context of the tool's execution are crucial to determine malicious intent versus legitimate administrative activities. It is important to consider the potential for false positives due to the legitimate administrative uses of the tool. The rule utilizes various Elastic Stack indices to monitor endpoint processes, making it necessary for Sysmon to be configured on Windows hosts. Investigative findings may lead to deeper anomaly detection and security improvements based on initial response outcomes.