This rule identifies potentially malicious execution of the CSharp Interactive Console (CSI) from PowerShell or its variants. The detection logic focuses on the process creation events where the executable 'csi.exe' is launched as a child process. The rule checks that the parent process is among recognized Windows PowerShell executables, helping to mitigate false positives by ensuring that the execution context is legitimate. As attackers may utilize the CSI for executing arbitrary CSharp scripts, this detection aids in monitoring unusual activity associated with the .NET Framework and CSharp environments. When this rule triggers, further investigation is necessary to ascertain the legitimacy of the commands executed and their potential impact on the infrastructure.