This detection rule targets the extraction of information using PowerShell, which can be indicative of malicious activities where adversaries search for files containing insecurely stored credentials. These credentials can often be found in various forms, including files created by users, shared credential stores, configuration files, or even within source code. The rule identifies potentially harmful script execution by monitoring for specific PowerShell commands that are typically used to retrieve and analyze files across local systems and network shares. Key commands monitored by this rule include 'ls' for listing directory contents, recursive search triggers ('-R'), and string searching functions ('select-string') with pattern matching. The deployment of this rule necessitates that Script Block Logging is enabled on Windows systems, providing the necessary logging data for effective detection.