This analytic rule detects the execution of the `Get-DomainOU` cmdlet, which is part of the PowerView toolkit commonly used for Windows Active Directory enumeration. It specifically utilizes PowerShell Script Block Logging (indicated by EventCode=4104) to monitor for this potentially malicious activity. By identifying instances where ``Get-DomainOU`` is employed, the rule aims to uncover attempts by adversaries to enumerate organizational units within Active Directory, which can lead to lateral movement or privilege escalation within a network. If this activity is determined to be malicious, it may enable attackers to gain vital insights into the domain's structure, thereby facilitating further exploitation attempts. The detection logic employed captures relevant PowerShell script block events and organizes the results to provide actionable insights about the identified sessions.