This rule detects the execution of specific PowerShell cmdlets, `Get-ObjectAcl` and `Get-DomainObjectAcl`, which are utilized to enumerate Access Control List (ACL) permissions of Active Directory objects. Using Event ID 4104 from PowerShell Script Block Logging, it identifies potential unauthorized attempts to discover weak permissions, which attackers could exploit for privilege escalation. The analytic employs a tailored query to aggregate and showcase detection data, providing critical insights into potential threats to an organization's Active Directory security framework. This detection is crucial for recognizing pre-exploitative reconnaissance behavior exhibited by attackers aiming to leverage ACL discovery to escalate privileges or gain unauthorized access within a network.