This rule analyzes PowerShell script executions specifically targeting the 'TrustedHosts' configuration within WSMan settings, as captured by EventCode 4104. The detection rule identifies script block text that includes commands to modify or concatenate trusted hosts, which could indicate malicious attempts to manipulate remote access settings. Such alterations can create avenues for unauthorized access to sensitive systems, leading to potential security breaches where attackers establish persistent remote connections and evade existing security controls. Correct implementation requires enabling PowerShell Script Block Logging on endpoints, providing a necessary data source for triggering alerts on this activity, and allowing for effective monitoring of unauthorized changes that could signify a larger compromise.