This threat detection rule focuses on the monitoring of PowerShell script executions that utilize the 'Add-WindowsCapability' cmdlet to add capabilities to Windows systems. The primary use case involves identifying potentially unauthorized additions of capabilities such as OpenSSH, which can enhance the system's functionality but also may pose security risks if misused by malicious actors. The rule is intended to trigger alerts when script block logging captures the specific command and capability name within any executed PowerShell scripts. Administrators are advised to review logs for legitimate usage and adjust filters as necessary to reduce false positives. It is crucial to maintain visibility over the administrative actions performed on Windows systems to prevent unintended exposure or exploitation of security features.