This detection rule focuses on the usage of PowerShell commands 'Install-Module' and 'Import-Module', which are commonly used to retrieve and load modules into a PowerShell session from online sources or local storage. The presence of these commands in an execution context can indicate potential malicious behavior, particularly in the hands of threat actors such as APT28. The rule leverages EDR logs to monitor process executions within the last two hours on Windows platforms. If a process execution event matches the regex pattern for these cmdlets, it triggers an alert, indicating the need for further investigation. Notably, the rule aligns with the procedures outlined in several MITRE ATT&CK techniques (T1059.001 and T1059), emphasizing script-based execution methods that adversaries often exploit for command and control or post-exploitation activities. This detection strategy is crucial in environments where PowerShell could be misused, supporting organizations in identifying and mitigating risks associated with legitimate administrative tools being utilized for malicious purposes.