This anomaly rule flags direct invocations of the PowerShell TabExpansion internal function, which is atypical and can indicate TabShell-style abuse. It targets PowerShell Script Block Logging event 4104 and searches ScriptBlockText for patterns such as *$lastWord*, *$_val=' + $_expression*, and *function Write-Members*, which together suggest an attacker manipulating tab-completion internals to load or execute arbitrary PowerShell code (even within sandboxed contexts). The rule aggregates telemetry by Computer, EventID, ScriptBlockText, signature fields, user, vendor_product, GUID, and process details (ProcessID, ScriptBlockId) to surface first/last seen times and a destination host. An associated risk alert is generated with a message like “Potential PowerShell TabExpansion activity observed on dest via script block ScriptBlockId.” Implementation relies on endpoint telemetry from EDR agents, requiring ingestion of complete command lines and process lineage (process GUID, process name, parent process), mapped to the Endpoint CIM data model (Processes node), and normalized via the Splunk CIM for consistent field naming. False positives are possible due to legitimate administrative or development use; filtering trusted admin/developer activity is recommended. The rule provides drilldown and risk-context searches and references Tabshell techniques to aid investigation.