This detection rule targets the suspicious behavior associated with the use of the 'Import-Module' cmdlet in PowerShell to load the 'Microsoft.ActiveDirectory.Management.dll', which is often employed by attackers for Active Directory (AD) enumeration activities. The rule monitors process creation events, specifically filtering for instances where PowerShell or its core components (such as pwsh.dll) are executed with the intent to invoke this DLL. By capturing command lines that include both the terms 'Import-Module' and 'Microsoft.ActiveDirectory.Management.dll', this rule aims to detect potential unauthorized attempts to disclose user and group information from Active Directory systems. The key focus is on recognizing patterns of exploitation that bypass typical administrative privileges for reconnaissance missions within a networked environment. The rule is comprehensive in intent, with a medium-level severity assigned due to the potential risks associated with unauthorized AD enumeration. It is also important to note that legitimate administrative activities utilizing this library may produce false positives, thus careful consideration should be applied when assessing alerts.