This detection rule identifies instances of the `Get-ADUser` PowerShell cmdlet executed with parameters that indicate a search for domain accounts with Kerberos Pre-Authentication disabled. It leverages PowerShell Script Block Logging (specifically EventCode 4104) to monitor any script block containing this command. The significance of this detection lies in the potential for adversaries to locate accounts lacking Kerberos Pre-Authentication, potentially enabling them to engage in offline password cracking attacks. The compromise of such accounts can lead to unauthorized access to sensitive information and privilege escalation within the network. The analytic is designed to monitor for and report these occurrences in real-time, aiding in the protection of critical accounts.