This detection rule identifies and monitors the execution of the PowerShell cmdlet `Get-ADDefaultDomainPasswordPolicy`, which retrieves the password policy for an Active Directory domain. It specifically analyzes entries logged by PowerShell Script Block Logging (EventCode=4104) to pinpoint instances where this command has been executed. Recognizing this activity is crucial as it can suggest an attacker is gathering information about domain password policies, which could facilitate further malicious operations such as password attacks or additional domain reconnaissance. To implement this rule, ensure that PowerShell operational logs are available and appropriately parsed for event code 4104. Administrators performing troubleshooting tasks may generate legitimate alerts that may be considered false positives.