Detects default function and variable names commonly used by the Cobalt Strike PowerShell beacon to establish command-and-control on a Windows host. The rule targets PowerShell Script Block Logging (Event ID 4104) events and filters ScriptBlockText for known beacon indicators: func_get_proc_address, var_unsafe_native_methods, var_gpa.Invoke, func_get_delegate_type, and var_type_builder. The query aggregates results by host and related metadata (Computer, EventID, ScriptBlockText, dest, signature, signature_id, user_id, Path, ProcessID, ScriptBlockId) and timestamps to identify beacon activity windows. Implementation assumes ingestion of EDR telemetry mapped to the Endpoint CIM model, with logs containing process GUID, process name, parent process, and full command lines. When matched, the rule surfaces contextual drill-downs (per-user and per-destination views) and risk-based analysis for the last 7 days, highlighting potentially dangerous activity and ATT&CK mappings (T1059.001, T1204.002). False positives are considered unlikely since the indicators correspond to default Cobalt Strike beacon code; however, modifications to the beacon could evade detection. The rule is designed for Splunk environments using CIM normalization and appropriate Splunk Add-ons for EDR data, enabling rapid investigation and containment workflows.”