This analytic rule is designed to detect suspicious PowerShell activity involving the usage of specific IIS cmdlets that could be indicative of an attack or misuse of privileges within a Windows environment. By monitoring EventCode 4104 from PowerShell Script Block Logging, the detection focuses on the use of 'New-WebGlobalModule', 'Enable-WebGlobalModule', and 'Set-WebGlobalModule'. These commands enable attackers to manipulate IIS configurations, potentially allowing them to bypass security measures and persist within the network. The rule tracks occurrences of these cmdlets, providing insight into possible security incidents that can lead to unauthorized access or web server manipulation. If malicious actions are confirmed, they could result in serious risks, including privilege escalation and changes to web server behaviors. The implementation requires configuring necessary logging settings on endpoints and providing appropriate response measures for identified threats.