This detection rule monitors PowerShell scripts that import modules from suspicious or potentially malicious directories, particularly user-specific locations such as Temp and Appdata folders, as well as Public directories. The detection leverages Script Block Logging, which must be enabled on the system, to examine the command text of executed PowerShell scripts. By looking for the "Import-Module" command being used to load modules from these specific paths, the rule identifies potential instances of script abuse that may signify an attack or malicious activity. The rule can trigger false positives due to benign imports that users might perform, necessitating context-driven analysis of such alerts. It is tailored for Windows environments where PowerShell execution is common.