This detection rule focuses on identifying potentially malicious uses of the Get-ADReplAccount command via PowerShell. The Get-ADReplAccount cmdlet is part of the DSInternals PowerShell Module, which provides various features related to Active Directory. Malicious actors may leverage this tool for credential access, exploiting its capabilities to interact with Active Directory and perform actions such as auditing FIDO2 credentials, manipulating NTDS.dit files, or recovering data from backups. To effectively capture this behavior, the detection looks for specific PowerShell script blocks that contain the command, with certain parameters indicating a potentially suspicious intention. The rule is set to medium priority and requires that Script Block Logging is enabled on the Windows machine for it to function properly. False positives may arise from legitimate administrative scripts that use the Get-ADReplAccount cmdlet.