This detection rule identifies the execution of the WinPwn tool, which is used for reconnaissance and exploitation in Windows and Active Directory environments. The rule focuses on the detection of specific keywords in the script block text that are unique to WinPwn. To function effectively, Script Block Logging must be enabled on the target system, as this allows the monitoring of PowerShell script execution. The rule aims to alert security teams of potential credential access or exploitation attempts leveraging this tool. As a highly identified risk, the rule has a high severity level due to its association with various attacks on credential access and privilege escalation.