This detection rule targets the identification of PowerShell scripts utilized to capture audio from input devices, an activity often leveraged by attackers during post-exploitation scenarios. The rule is designed for use in Windows environments and aims to detect suspicious execution of scripts that incorporate audio capture capabilities. Key indicators include specific PowerShell function calls indicative of audio recording and the presence of certain strings in script block text. The detection relies on Windows logs, specifically those generated by winlogbeat and PowerShell activities, to monitor for potential misuse of PowerShell, a tool commonly available to system admins that can also be exploited by attackers for malicious activities. The analysis process outlined in the rule includes investigating the nature of the script, its execution context, potential exfiltration paths, as well as implementing appropriate incident response actions and preventative measures to mitigate the risk of future incidents. The rule's effectiveness is predicated on certain logging configurations being enabled, specifically PowerShell Script Block Logging, to capture detailed execution information. The risk score is set at 47, indicating a medium-level threat.