This analytic rule detects the execution of PowerShell commands that utilize the `Get-WmiObject` cmdlet with the specific `-class ds_user` parameter, which is commonly used for querying domain users. It is leveraged to identify potential reconnaissance actions by adversaries in Active Directory environments. The detection is powered by data collected from Endpoint Detection and Response (EDR) agents, focusing on process name and command-line parameters associated with `powershell.exe` or `cmd.exe`. The detection is crucial since enumerating domain users is a typical precursor to broader attacks, such as privilege escalation and lateral movement within networks. By identifying these command executions, organizations can strengthen their defenses against unauthorized activities. The rule requires logs from Sysmon and other sources to correctly capture user and process interactions.