This detection rule aims to identify PowerShell scripts that implement keylogging techniques to capture user keystrokes, often used by adversaries to intercept sensitive information such as credentials. The rule detects the presence of specific PowerShell commands associated with keystroke logging. Notably, it looks for scripts containing 'Get-Keystrokes' or a combination of low-level Windows API calls (Get-ProcAddress, GetAsyncKeyState, and GetForegroundWindow) that are generally used to monitor user input. To function correctly, Script Block Logging must be enabled, allowing the rule to analyze the PowerShell commands executed on the target system and trigger alerts when suspicious keylogging behavior is detected.