This rule detects attempts to discover domain accounts with Kerberos Pre-Authentication disabled by monitoring specific PowerShell commands. Threat actors may utilize cmdlets such as Get-ADUser or PowerView's Get-DomainUser to identify vulnerable accounts for Kerberos attacks like AS-REP roasting. The logic checks the process logs from the past two hours to find instances where PowerShell commands indicate querying accounts with Pre-Authentication disabled, specifically targeting process patterns indicative of such behavior. It is highly recommended to implement PowerShell script block logging for more reliable detection results. Other methods of detection may depend on process creation to ensure successful logging of the executed commands.