This detection rule identifies instances of the PowerShell script 'ADRecon.ps1', which is known for conducting Active Directory reconnaissance widely utilized by threat actors such as the FIN7 group. Specifically, it monitors the execution of the script through PowerShell's Script Block Logging feature. To effectively utilize this detection rule, Script Block Logging must be enabled within Windows environments. The detection mechanism looks for specific function calls and output file names that are characteristic of ADRecon operations, such as 'Get-ADRDomainController' and 'ADRecon-Report.xlsx'. Given its potential for misuse in intelligence gathering by attackers, the identification of such script executions warrants a high alert level. The references provide further insights into the script’s capabilities and the associated threat landscape.