This detection rule identifies the execution of the `Get-ADUserResultantPasswordPolicy` PowerShell cmdlet, which is commonly used in Windows environments to retrieve the password policy associated with domain users. Utilizing PowerShell Script Block Logging (specifically EventCode=4104), the rule monitors for instances where this cmdlet is executed, as such behavior can indicate reconnaissance activities by attackers, potentially aimed at understanding the password policies of the domain. This malicious intent could lead to further exploitation such as password guessing attacks if the adversary gains insights into the password policy configurations. The rule aims to provide security teams with visibility into this specific threat vector, allowing for proactive monitoring and response to possible domain enumeration attempts.