This detection rule identifies the execution of the PowerShell cmdlet Get-ADComputer with specific parameters indicative of a search for Windows systems that employ Kerberos Unconstrained Delegation. The analytic monitors PowerShell Script Block Logging (EventCode=4104) to capture such activities. This behavior often indicates reconnaissance by attackers or penetration testers as they seek to enumerate high-value targets and understand the Active Directory environment. If identified as malicious, this could facilitate privilege escalation and lateral movement within the network. The rule emphasizes the importance of monitoring PowerShell activities to thwart potential malicious system discovery efforts.