This analytic rule aims to detect unauthorized attempts to enumerate Windows Active Directory accounts that have Kerberos Pre-Authentication disabled, a tactic frequently employed by attackers to exploit vulnerabilities in an Active Directory environment. The rule specifically captures events generated by the execution of the PowerShell command `Get-DomainUser` with the `-PreauthNotRequired` parameter. This command is part of PowerView, a tool designed for Active Directory enumeration. When this command is executed, it indicates that potentially sensitive accounts are being investigated by an adversary, giving them an avenue to initiate offline password cracking attempts. If successful, it could lead to unauthorized access to these accounts, increased privileges, and access to protected data within the network. The detection relies on PowerShell Script Block Logging, specifically Event Code 4104, which must be enabled on monitored endpoints.