This detection rule focuses on the execution of AADInternals PowerShell cmdlets, which are potentially malicious tools leveraged by threat actors to exploit Azure Active Directory (Azure AD) and Office 365 environments. The rule monitors process creation events specifically for the execution of PowerShell or pwsh processes containing specified AADInternals commandlets in their command lines. Given that the AADInternals toolkit is designed for administrative tasks within Azure AD and Office 365, unauthorized use of these cmdlets could indicate an attack vector aimed at gathering sensitive data or manipulating an organization's Azure AD environment.