This rule addresses the detection of screen capture activities on Windows systems using the .NET method `CopyFromScreen`. Adversaries may use remote access tools that leverage screen capturing as a method to gather sensitive information post-compromise. The detection mechanism relies on monitoring PowerShell script executions, specifically looking for instances where the `CopyFromScreen` method is invoked within the script block, indicating a potential malicious attempt to capture the desktop's visual output. To ensure effective detection, Script Block Logging must be enabled on the Windows hosts. This rule is categorized under attack techniques related to information collection, specifically T1113 from the MITRE ATT&CK framework.