This detection rule identifies the execution of PowerShell scripts from the WindowsApps directory, which is increasingly employed by attackers utilizing malicious MSIX packages. This specific technique targets processes initiated via embedded PowerShell scripts, notably StartingScriptWrapper.ps1, to execute harmful code. The rule relies on telemetry gathered from Endpoint Detection and Response (EDR) agents, focusing particularly on command lines and parent process paths associated with PowerShell executions. The significance of this detection lies in the capability of such actions to enable adversaries to execute arbitrary code, maintain persistence, or deploy malware without triggering conventional security defenses. The rule aggregates data from sources such as Sysmon EventID 1 and Windows Event Log Security 4688 to provide comprehensive monitoring of potential threats originating from the WindowsApps directory, a known resource for legitimate applications but also for exploitation by malicious actors.