This detection rule focuses on identifying the execution of PowerShell scripts that are associated with keylogging activities. It specifically targets API calls commonly used by malware for keylogging, such as `GetKeyState` or `GetAsyncKeyState`, as well as other indicators that may suggest keystroke capture activities, including `SetWindowsHookEx` and `getkeyboardstate`. The rule operates by capturing events from PowerShell logs where the event codes 4103 or 4104 are triggered, indicating script block logging or the invocation of a PowerShell script. A regular expression is utilized to extract keywords related to known keystroke capturing methods from the message field, and it also extracts the script name from the process field. The rule aggregates the results to present a timeline of potential malicious activities across various endpoints by including relevant details such as time, host, user, and script names. The detection leverages insights from the MITRE ATT&CK framework, correlating actions with techniques that fall under PowerShell command execution and credential access through keylogging. This rule is suitable for organizations looking to monitor and mitigate risks associated with the misuse of PowerShell in capturing user input.