This detection rule identifies remote PowerShell sessions in a Windows environment, particularly those initiated from external hosts. It leverages specific context information to differentiate between legitimate and potentially malicious PowerShell executions. The primary indicators of interest are processes containing 'wsmprovhost.exe' and a specific namespace related to remote sessions. The rule includes mechanisms to filter out known legitimate script executions involving the PowerShell Archive module, thereby minimizing false positive alerts related to valid administration activities. This rule is particularly relevant for organizations monitoring lateral movement or unauthorized remote access activities, as it focuses on potential misuse of PowerShell capabilities which are commonly exploited in advanced persistent threats.