This analytic is designed to detect the execution of user logoff commands utilizing PowerShell through the "quser" (query user sessions) and "logoff" commands. It closely monitors specific PowerShell Script Block Logging events (EventCode 4104) for any instances where these commands are invoked, which indicates a user session is being forcefully terminated. This could be indicative of legitimate administrative actions or possibly unauthorized attempts to revoke user sessions. The analytic aims to highlight instances of account management where a user’s access is removed without due authorization, providing crucial insights into potential security threats or incidents such as session hijacking or unauthorized access remediation. The detection leverages PowerShell operational logs, necessitating that such logs are correctly configured and available for monitoring. It emphasizes the importance of scrutinizing scenarios where user sessions are abruptly ended as they may signal unauthorized activities or internal abuses.