This anomaly rule detects attempts to gather Windows Local Administrator Password Solution (LAPS) passwords by abusing PowerShell to access the ms-Mcs-AdmPwd attribute. LAPS automatically rotates and stores local admin passwords in Active Directory; when misconfigured or improperly restricted, attackers may run administrative commands to enumerate computers and retrieve the stored password. The rule focuses on Windows endpoint telemetry from PowerShell Script Block Logging (Event ID 4104). It looks for ScriptBlockText patterns such as Get-AdComputer and ms-Mcs-AdmPwd, which indicate a potential LAPS password retrieval workflow. The search aggregates matches by destination host, EventID, ScriptBlockText, and related metadata, then applies built-in normalization (ctime macros) and a predefined detection filter. When triggered, the rule surfaces an alert with contextual fields (host, script block, user, and related process information) to enable rapid investigation and drilldown. The approach requires ingesting rich EDR-generated command lines and mapping them to the Endpoint CIM model for accurate correlation. While effective at catching unauthorized password access, legitimate administrative tasks may resemble this pattern, so tuning and whitelisting of approved activities is recommended to reduce false positives. The rule is categorized under Credential Dumping and Active Directory Privilege Escalation, aligning with MITRE techniques such as T1552 and T1003. To maximize accuracy, ensure EDR telemetry is comprehensive (process GUID, process name, parent process, and full command lines) and normalized with Splunk CIM.