This analytic rule monitors the execution of the `Get-ForestTrust` command, which can indicate that an attacker is probing for domain trust relationships within an environment. Utilizing PowerShell Script Block Logging (EventCode=4104), the rule captures the exact command text that is executed, allowing for detailed analysis of potential malicious activities. The ability to gather domain trust information is critical for attackers as it aids in lateral movement and privilege escalation. Therefore, detecting this command's execution is essential for identifying suspicious behavior that could lead to further exploitation of sensitive resources. The rule provides enriched insights through the associated detection search and drilldown searches, enabling security teams to correlate and investigate incidents effectively.