This detection rule identifies the usage of the Get-ADUser cmdlet within PowerShell to harvest user account information from Active Directory and potentially export it to a file. The cmdlet is employed in conjunction with various command line options that facilitate output redirection to files. Detection is triggered when the process creation log indicates the execution of PowerShell (or pwsh) with command line arguments that include Get-ADUser and specific output commands like Out-File or Set-Content. The rule is set to manage situations where both administrative actions and potential data exfiltration can occur, with a focus on identifying malicious behavior while providing caveats regarding false positives from legitimate administrative scripts. By effectively filtering out typical legitimate use cases, this rule aims to primarily flag suspicious or unauthorized access patterns to user data within a corporate environment.