The analytic rule detects the execution of the PowerShell command Get-ForestTrust, a command used by attackers to gather domain trust information. This activity is commonly observed during reconnaissance phases as adversaries seek to understand domain relationships that could facilitate lateral movement and privilege escalation. The rule functions by analyzing telemetry data gathered from Endpoint Detection and Response (EDR) agents, specifically monitoring processes and command-line executions associated with PowerShell or command prompt. The detection is vital to identify potential threats early before they can misuse the domain trust information. Confirmed malicious use of this command could lead to significant security risks such as unauthorized access or further attacks against the infrastructure.