This detection rule aims to identify instances of PowerShell scripts that contain names of known authors of offensive tooling associated with red team exercises. Attackers often deploy such pre-existing scripts without modification, maintaining the original author references. The rule leverages PowerShell Script Block Logging to detect executions of scripts that mention specific author handles, indicating potential malicious use of legitimate toolsets. The setup necessitates enabling the PowerShell Script Block Logging policy to capture relevant data, with a high-risk score indicating a significant threat level. Investigations following alerts should focus on examining the execution context and author names to ascertain the legitimacy of activities, as this could lead to potential security incidents if not monitored closely. The rule includes recommended actions for responding to alerts, including incident isolation and process termination.