This detection rule targets potential data exfiltration performed via PowerShell scripts utilizing Internet Control Message Protocol (ICMP) for transmission. It is based on the premise that adversaries often utilize existing command and control (C2) channels for exfiltrating sensitive information. Specifically, the rule leverages Splunk to identify PowerShell scripts that issue ICMP calls indicative of a potential data leak. The logic employs event filtering on key parameters (EventCode=4103, System, Net, etc.), followed by regex extraction to identify specific PowerShell script names based on the presence of 'ping' commands within the network information logs. Results are aggregated and displayed over time to pinpoint suspicious activity.