This detection rule is designed to identify the execution of PowerShell scripts that add a Name Resolution Policy Table (NRPT) entry for a specified namespace. The NRPT feature allows an organization to control DNS resolution for certain namespaces by directing requests to a specified DNS server rather than the default one configured on the system. This can be abused by attackers to evade DNS-based security controls and redirect traffic for malicious purposes. The detection operates by monitoring PowerShell script blocks for specific keywords related to the NRPT addition command, particularly focusing on the `Add-DnsClientNrptRule` cmdlet and associated parameters that imply manipulation of DNS resolution. By enabling this detection, organizations can capture potentially malicious activities that involve unauthorized changes to DNS configurations, enhancing their security monitoring efforts against persistent threats and attacks that leverage DNS tunneling or redirection.