This detection rule identifies potential misuse of the `Get-LocalUser` PowerShell commandlet, which lists all local user accounts on a system. Utilizing PowerShell Script Block Logging (EventCode=4104), the rule scans the logs for any instances where this command is executed. By extracting the script block text from logs, it allows security analysts to detect attempts by adversaries to gather information about local user accounts, a common step in reconnaissance and Active Directory assessments. Detection of this activity is crucial as it may indicate preparatory actions for privilege escalation or lateral movement within a network. The implementation of this analytic requires that PowerShell Script Block Logging is enabled on targeted endpoints, which will then capture the necessary logs for monitoring. This configuration, along with regular reviews of usage by known administrators and power users, helps to distinguish between benign and potentially malicious activities.