This detection rule is designed to identify PowerShell script blocks that may be used by adversaries for enumeration of Active Directory (AD) groups and users. By utilizing commands specific to PowerShell such as 'Get-ADPrincipalGroupMembership' and 'Get-ADUser', attackers may gain insights into domain-level permissions and group memberships that could point to potential targets with elevated privileges, such as domain admins. The rule necessitates that Script Block Logging is enabled to capture this activity effectively. Detection conditions include the presence of certain keywords associated with AD querying commands, indicating a risk of reconnaissance in an enterprise environment. The rule can help organizations monitor and assess possible unauthorized entity insights into their AD structures, thus allowing for timely defensive measures.