This analytic detection rule identifies the execution of PowerShell scripts that capture screen images on a Windows host. By utilizing PowerShell Script Block Logging (Event Code 4104), it searches for specific patterns in script blocks that are associated with common screen capture functions, such as creating a `Drawing.Bitmap` object and using `.CopyFromScreen()`. Such activities are concerning as they may indicate malicious attempts to exfiltrate sensitive data via screenshots. If confirmed, this behavior poses significant risks, including potential data breaches. Mitigation strategies include closely monitoring the use of PowerShell scripts and enforcing strict security policies around script execution on endpoints. Insight into detected events can also help organizations respond quickly to such threats, minimizing the risk of data compromise.