This threat detection rule focuses on identifying suspicious PowerShell clipboard activities that may indicate malicious intent by adversaries. The rule particularly looks for the usage of PowerShell commands that engage with the Windows clipboard via the SendKeys cmdlet. These activities are often seen in conjunction with standard text editors like Notepad or WordPad, which can be utilized to manipulate data in stealthy ways. This detection aligns with the BbyStealer malware, known for utilizing various command and scripting interpreters to exfiltrate clipboard data effectively. The detection logic employs specific EventCode checks from endpoint logs and correlates them with common commands that interact with the clipboard and text editors to build a comprehensive view of potential nefarious actions occurring on an endpoint. By monitoring the specified event IDs and command patterns, organizations can flag and investigate potential threats that leverage clipboard data for malicious purposes.