This detection rule monitors for suspicious connection attempts by adversaries attempting to gain unauthorized access to accounts through brute force credential attacks. These attacks often occur when an attacker lacks prior knowledge of legitimate credentials and resorts to guessing passwords methodically. This rule specifically looks for PowerShell scripts that utilize certain .NET classes related to LDAP connections, which are typically used in such credential-access attempts. The detection relies on Script Block Logging being enabled, capturing any script execution that matches the defined selection criteria. The primary identification here is based on specific PowerShell commands that can indicate an adversary's attempt to brute force credentials on an Active Directory domain user.