Detects the execution of the Windows WinPEAS PowerShell script by monitoring PowerShell Script Block Logging events (Event ID 4104) and matching script block content that is characteristic of winPEAS usage. The rule flags ScriptBlockText patterns such as "returnHotFixID", "Start-ACLCheck", "UnquotedServicePathCheck", and "Get-ClipBoardText" that commonly appear when winPEAS enumerates privilege-escalation opportunities. It relies on telemetry from endpoint security tools (EDR) that provide complete command lines and process context, and requires mapping to the CIM Endpoint/Processes data model for normalization. When matched, the alert captures relevant fields (host/destination, ScriptBlockId, ScriptBlockText) and is complemented by a risk-based alert (RBA) that designates the destination as a risk object with a score of 50. The rule includes drilldown searches to view results per user and host, and to correlate with risk events over time. Known false positives include legitimate security assessments or audits that run WinPEAS; exclude trusted security tooling to reduce noise. References point to winPEAS usage guidelines. This rule is aligned with Windows endpoint post-exploitation monitoring and uses a Splunk-based implementation with CIM normalization to enhance detection fidelity.