This analytic detects evidence of a PowerShell Script Block Logging (Event ID 4104) generated, indicating a complete P/Invoke process-injection API chain. It covers both compile-time and run-time techniques: (1) compile phase - inline C# via Add-Type -TypeDefinition where embedded code includes DllImport declarations and full P/Invoke signatures; (2) execution phase - PowerShell static method invocation patterns using ::MethodName(, anchored with execution-context indicators such as [IntPtr]::Zero or Marshal]::Copy. The rule enumerates multiple injection techniques (self-injection shellcode runner; remote thread injection; APC injection; thread-context hijacking; process hollowing; section-map injection; reflective DLL loading; DLL injection) and maps them to concrete API call patterns (e.g., VirtualAlloc/VirtualProtect/CreateThread; OpenProcess/VirtualAlloc/WriteProcessMemory/CreateRemoteThread; QueueUserAPC; OpenThread/SuspendThread/GetThreadContext/WriteProcessMemory/SetThreadContext/ResumeThread; CreateProcess/VirtualAlloc/WriteProcessMemory/SetThreadContext/ResumeThread; NtCreateSection/NtMapViewOfSection/CreateRemoteThread; GetProcAddress/GetModuleHandle/VirtualProtect/CreateThread; etc.). By including the execution-phase patterns, the detection remains effective even when adversaries load pre-compiled assemblies from memory or disk without using Add-Type. The rule relies on PowerShell Script Block Logging (4104) data and is targeted at endpoint activity. It aligns with MITRE techniques in the T1055 family (and sub-techniques) and associates detections with a PowerShell-originating threat surface. The rule is designed to trigger on suspicious, multi-stage P/Invoke chains that culminate in various process-injection outcomes, and to surface correlated signals across ScriptBlockText patterns and invocation styles captured in 4104 events.