The 'Windows Find Interesting ACL with FindInterestingDomainAcl' detection rule is designed to monitor and identify the execution of the 'Find-InterestingDomainAcl' cmdlet, which is part of the PowerView toolkit widely used for Active Directory enumeration and reconnaissance. This rule leverages PowerShell Script Block Logging, specifically looking at EventCode 4104, to capture instances where this cmdlet is invoked. The cmdlet itself is commonly used by malicious actors to identify misconfigured or unsecured Access Control Lists (ACLs) within a Windows domain. By detecting its usage, this analytic aims to highlight potential privilege escalation opportunities or vulnerabilities in security configurations that could lead to unauthorized access. The rule factors in a range of logging techniques and provides methods for further investigation through drilldown searches that allow security analysts to review detections based on specific users and systems involved. Additionally, it outlines a procedure for implementation, potential false positives related to legitimate administrative actions, and references to further reading on PowerView and related techniques.