This rule is designed to detect PowerShell scripts that have the capability to record webcam video. Such scripts can be used by attackers to gather video footage for purposes like extortion or unauthorized surveillance. The detection criteria include specific API calls and script patterns typically associated with webcam access. The rule operates on indexed windows PowerShell logs and involves vigilant monitoring of PowerShell script executions. Enabling PowerShell Script Block Logging is a prerequisite, allowing for detailed tracking of script execution. Adequate incident response protocols, including investigation and remediation steps, are outlined to handle potential threats effectively. The rule additionally connects to the MITRE ATT&CK framework for comprehensive threat mapping, specifically focusing on techniques related to video capture and command execution via PowerShell.