This detection rule targets the creation of new domain accounts in a Windows Active Directory environment, which is a significant tactic used by adversaries to maintain persistent access to victim systems. The rule focuses on monitoring PowerShell scripts that manipulate user computer or group security principals. Specifically, it detects the use of the System.DirectoryServices.AccountManagement namespace within PowerShell scripts, which is often leveraged by malicious actors to create or modify accounts. The rule requires that Script Block Logging is enabled to capture these activities properly. The presence of this script may indicate an attempt at lateral movement or privilege escalation, as attackers can use legitimate administrative scripts as a cover for their actions, thus potentially leading to false positives. Administrators should investigate any alerts triggered by this rule to determine whether they represent genuine threats or innocuous administrative actions.