This detection rule identifies the abuse of a custom file open handler in Windows that executes PowerShell commands. Attackers can manipulate Windows Registry settings to set malicious software to run when a specific file type is opened. Specifically, this rule looks for modifications involving the registry path associated with file open commands, targeting the 'shell\open\command\' registry key. If it detects that the command involves executing 'powershell' with the '-command' argument, it triggers an alert due to the high-risk implications of this behavior, which could indicate an attempt to establish persistence or execute malicious scripts. The rule helps in monitoring and identifying potentially malicious activity related to PowerShell execution via custom handlers, which is increasingly used in sophisticated attacks such as those seen in the SolarMarker campaign.