This detection rule identifies suspicious usage of the Get-ADUser cmdlet in PowerShell, which is commonly used within Active Directory environments to retrieve user account information. The specific focus of the rule is on instances where the cmdlet is employed to collect detailed user data and subsequently output this information to a file. The detection logic uses a combination of script block logging features in PowerShell to flag activities based on defined patterns in the script artifact. The presence of keywords such as 'Get-ADUser' along with output redirection operators indicates potential misuse or automation of data export that is often associated with reconnaissance or data exfiltration efforts by threat actors. The condition is set to alert if these patterns are detected, albeit with considerations for false positives due to legitimate administrative operations that may mimic such behavior.