This rule detects the execution of PowerShell scripts that call the 'Start-NetEventSession' cmdlet, which can be utilized by attackers to perform network event and packet capture. By starting an event session, adversaries can monitor and capture network traffic, potentially gaining sensitive information such as user credentials, especially if the data transmission occurs over insecure or unencrypted channels. This technique is typically employed during post-exploitation phases of an attack to facilitate data gathering and reconnaissance. The rule functions by analyzing script block logs for any occurrence of the specified cmdlet, which indicates a possible attempt to log network traffic. Given its sensitivity, enabling Script Block Logging is a prerequisite for this rule to function correctly.