This analytic rule is designed to detect the use of the `[Adsisearcher]` type accelerator within PowerShell scripts to query Active Directory for domain groups. By monitoring PowerShell Script Block Logging events (specifically EventCode=4104), it identifies script blocks that contain references to `adsisearcher` and object category queries related to groups. Such activity can serve as an indicator of potential reconnaissance efforts by adversaries looking to enumerate domain groups, an essential step for further privilege escalation or lateral movement within a network. The rule aggregates the detection results, counting occurrences and recording the first and last times each script block was executed, providing a timeline of potential malicious activity. Users based in Security Operations Centers can leverage this detection to prioritize incident responses effectively and understand the context of the activity. To ensure accurate detection, it is crucial to enable PowerShell Script Block Logging on all relevant endpoints. However, there may be legitimate instances where administrators use Adsisearcher for troubleshooting, posing a risk of false positives.