This analytic detection rule targets the use of the PowerView PowerShell cmdlet 'Get-NetUser' with a specific focus on identifying non-disabled Active Directory user accounts. The rule operates by monitoring PowerShell Script Block Logging events (EventCode 4104) to capture instances where the UACFilter parameter is explicitly set to NOT_ACCOUNTDISABLE. This can indicate potential reconnaissance activity by an attacker who aims to enumerate accessible user accounts for further exploitation, which may include unauthorized access, privilege escalation, or lateral movement within network environments. The rule is set up to capture and log the relevant script block text in PowerShell, allowing for a comprehensive overview of these potentially harmful queries.