This detection rule identifies potentially malicious code execution that utilizes 'Pester.bat' as the parent process. Pester is a testing framework for PowerShell that is often exploited for executing unauthorized commands. The rule specifically looks for instances where the parent process is either Windows PowerShell or PWSh (PowerShell Core), with a command line that refers to the Pester module directory. The detection logic consists of two main selection criteria: it checks if the parent image ends with 'powershell.exe' or 'pwsh.exe' and if the parent command line contains the directory path for Pester modules. Additionally, it monitors for command lines invoking Pester functions like 'Invoke-Pester' or displaying help with 'Get-Help'. The rule is set to trigger on matching all specified conditions. False positives may occur in legitimate testing scenarios where Pester is used appropriately. This rule helps mitigate attacks aiming for code execution bypassing traditional security mechanisms by leveraging a legitimate tool used within PowerShell scripting.