This rule detects the usage of the PowerView PowerShell cmdlet 'Get-NetComputer', which is commonly used in Active Directory environments to fetch sensitive information about user accounts, including attributes such as 'samaccountname', 'accountexpires', 'lastlogon', etc. The detection is performed by monitoring PowerShell Script Block Logging (Event ID 4104) for specific script block text that signifies potentially malicious activity. The ability to enumerate user accounts may indicate pre-attack reconnaissance, which could lead to unauthorized access, privilege escalation, or lateral movement within an organization's network infrastructure. Given the sensitivity of the actions captured, it’s crucial to properly filter legitimate administrative usage to minimize false positives while ensuring real threats are detected.