This rule detects suspicious PowerShell executions that indicate possible activity from the PowerShell-Empire framework, a recognized method for post-exploitation. It specifically uses PowerShell Script Block Logging (EventCode=4104) to monitor commands sent to PowerShell. The analysis focuses on identifying patterns that include the use of `system.net.webclient` and Base64 encoding, which are indicative of initial stagers that facilitate the download and execution of additional payloads. If this behavior is confirmed to be malicious, it might lead to code execution, data exfiltration, or further compromises of the affected system. This analytic is essential for enhancing endpoint security by monitoring potential misuse of PowerShell and could serve as a preventive measure against sophisticated attacks originating from known frameworks such as PowerShell-Empire.