The rule detects the enumeration of users and other sensitive data within a network using PowerView and its C# implementation, SharpView. Adversaries often misuse these tools to gather information about the primary and currently logged-in users, system usage, and other domain specifics to further their malicious activities. The detection logic leverages various Windows Event IDs, specifically targeting PowerShell command executions related to user and domain enumeration by monitoring for specific keywords indicative of PowerView and SharpView commands. Keywords include actions like fetching domain users, groups, computers, trust relationships, and other attributes in Active Directory. The rule collects this data to check for unauthorized use and potential malware deployment, establishing a baseline for normal administrative activities to better identify malicious patterns. It is associated with adversary techniques such as discovery of permissions and share enumeration, ensuring a proactive stance against potential exploitation by threat actors.