This detection rule identifies the execution of `powershell.exe` with specific command-line parameters aimed at querying domain groups using the `Get-WmiObject` cmdlet with the `-class ds_group`. It leverages data from Endpoint Detection and Response (EDR) technologies, specifically monitoring the processes executed on endpoints. The significance of monitoring `Get-WmiObject` calls lies in the fact that such activity often indicates reconnaissance efforts, where an attacker attempts to enumerate domain group identities within an Active Directory environment. Such enumeration is typically conducted during the reconnaissance phase before executing further attacks or privilege escalation maneuvers. This rule aims to flag potentially malicious usage of PowerShell that interacts with Active Directory by tracking the process name, command-line usage, user, and parent process details. By utilizing telemetry from Sysmon and Windows Security Event logs, security teams can gain insights into suspicious behaviors tied to unauthorized access or information gathering within their organizations.