This detection rule analyzes events generated by PowerShell Script Block Logging to capture the execution of the `Get-WMIObject Win32_Group` command. While this command is not inherently malicious, its use could signify reconnaissance activity, especially if correlated with other contextual factors such as the user, the time of day, and the specific endpoint involved. The command facilitates the gathering of group information on a machine, which can be useful for an attacker attempting to enumerate users and groups for lateral movement within the network. To enhance security monitoring, this rule leverages the EventCode 4104 logging feature of PowerShell, ensuring that full command usage can be examined for suspicious patterns. Implementing the rule requires configuring PowerShell Script Block Logging on relevant endpoints to ensure proper data capture. Users should be prepared for potential false positives, emphasizing the need for ongoing tuning of the analytic.